Recent reports have implicated a sophisticated piece of malware known as Regin in targeted attacks in various countries. Regin was described as being highly sophisticated and designed to carry out long-term stealthy surveillance on would-be victims at the behest of its creators, who have been suggested to be nation-states. Telecommunication companies are believed to have been the primary targets of this attack.
How long Regin has been active is unclear. Timestamps of files associated with Regin vary in some reports. Some place the attack in 2003, while others say it started in 2006, 2008, or 2011. Known victims include a Belgian telephone company, leading to suspicions about the threat actors behind this attack.
While overall Regin is a well-crafted and designed attack, in our threat monitoring, we note that many of its techniques have been used in other attacks before. In addition, the overall goal of this attack remains the same: to steal information from the target and do so while remaining stealthy.
The graphic below outlines some of the advanced techniques we believe that were used by Regin:
Figure 1. Advanced techniques used by Regin
As one can see, very few of the techniques that were used by Regin were completely without precedent in one form of another. The techniques chosen by the creators of Regin appear to have been chosen to maximize its stealth features; this would allow an attacker to maintain a long-term presence on an affected system, which would be an effective tool for gathering stolen information.
We will continue to watch out for developments related to this threat and release updates as necessary.