Nation state responsible for powerful malware targeting airlines and telcos, says Symantec
Mon 24 Nov 2014
A powerful and highly sophisticated piece of malware called Regin has been targeting governments and businesses since 2008, security research group Symantec has found.
The sophisticated software is thought to have infected computers mainly between 2008 and 2011 before resurfacing last year.
According to Symantec, companies in Russia and Saudi Arabia were most affected. No infections had been recorded in U.S. businesses.
The researches have suggested that Regin would have cost developers a considerable amount of time and resources – perhaps alluding that a “nation state is responsible.”
“It’s likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks,” said Symantec.
Sian John, a Symantec security strategist implied that “it comes from a Western organisation […] It’s the level of skill and expertise, the length of time over which it was developed.”
Targets included airlines, energy companies, hotels, and telecom firms, from which the malicious software was able to access and gather personal data, passwords, monitor traffic, and recover deleted files.
Symantec explains in its technical whitepaper, that the intricacies of the malware have delayed the discovery of Regin:
Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat.
The research group has drawn a comparison with Stuxnet, a malicious tool reportedly used by the U.S. and Israel to hack Iran’s nuclear programme, which also used a multi-stage loading architecture.
However, it is thought to differ insofar as Stuxnet was developed to attack equipment whereas Regin seems to be used solely to collect information.
