Yesterday I wrote the blog post “Wearable Tech: Improving Your Health or Killing Your Privacy?” based on a security report from Symantec. Little did I know that I would write a blog post on another security report from the same company today. The reason is: The world was flooded today with news on “Regin”, a sophisticated Internet spyware uncovered yesterday by Symantec. This breaking news just forced me to write this blog post. So bear with me covering this company two days in a row, and I guarantee that I don’t have anything to do with them. They are simply a big and quite good security company. Let me walk you through their stuff with my blog post.

So, What’s Regin?

Let’s make it simple by letting Symantec describe Regin:

“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware. … The main purpose of Regin is intelligence gathering and it has been implicated in data collection operations against government organizations, infrastructure operators, businesses, academics, and private individuals. The level of sophistication and complexity of Regin suggests that the development of this threat could have taken well-resourced teams of developers many months or years to develop and maintain.”

According to Symantec Regin is different to what are commonly called “traditional” advanced persistent threats (APT). They typically seek specific information, usually intellectual property. Regin’s purpose is different. It’s used for the collection of data and continuous monitoring of targeted organizations or individuals. Their report provides a technical analysis of Regin based on a number of identified samples and components. So it seems to be based on solid research.

This is how Symantec describes Regina with a single sentence:

“An advanced spying tool, Regin displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.”

It is likely that the development of Regin took months, maybe years, and its authors have gone far to cover the tracks. Its capabilities and the level of resources behind it indicate that it’s one of the main cyber espionage tools used by a nation state. So here it is: This is made by a government somewhere. Why am I not surprised?

Timeline and Target Profile

Symantec writes that Regin infections have been observed in different organizations between 2008 and 2011 (maybe back to 2006). Then it just disappeared before it showed up in version 2 in 2013.

Targets include private companies, government entities and research institutes, and almost 50 % of all infections targeted private individuals and small businesses. Attacks on telecoms companies seem to be designed to gain access to calls being routed through their infrastructure, according to the researchers.

Below are a couple of pie charts from the report showing infections by sector (left) and country.

Symantec Regin Pie Charts

Anatomy of Regin

Regin is a back-door-type Trojan, “customizable with an extensive range of capabilities depending on the target,” Symantec writes, adding that “it provides its controllers with a powerful framework for mass surveillance”.

Symantec believes that some targets may be fooled into visiting faked versions of well-known websites, or Regin may be installed through a Web browser or by exploiting an application. It uses a modular approach, giving flexibility to the threat operators as they can load custom features tailored to individual targets when required. The developers put a lot of effort into making it highly inconspicuous. Its can potentially be used in espionage campaigns lasting several years. Even when it’s detected, it is very difficult to find out what it’s doing. And it has several stealth features. All this makes Regin quite scary I would say.

Below is a figure outlining Regin as a multi-staged threat with each stage hidden and encrypted (except the first). Executing the first stage starts a domino chain of effects as the figure indicates.

Regin Architecture

If you want more tech stuff, please read the blog post from the Finnish security company F-Secure. They write: “We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe. The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of “pciclass.sys” seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.”

Here is a screen shot of their findings:

Regin File Header

Conclusion and Further Reading

Just let me finish this off with the conclusion from the report:

“Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets. The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.”

The Internet is covered with news about Regin since Symantec revealed their blog post and security report yesterday, so just hit your search button if you want more. Just let me mention a post from Wired today going into more details that the shorter news articles most media produce, like CNN, BBC, WSJ and Forbes. Still, my blog post should give you a good overview.

Regin is for sure crazy and dangerous stuff, so let’s just leave it here. Hopefully we’ll know what government made this shit. Take care!

Update Nov 25th: The Intercept links Regin to US and British intelligence. Read it here.