Posts Tagged ‘computer worm’

Is Backdoor Regin the US/Israeli successor to the Stuxnet virus?

November 24, 2014

A sophisticated, spying virus, most probably developed by one or more nation states, has been discovered by Symantec. It has been in use since at least 2008 and targets have been in at least 10 countries (mainly in Russia and Saudi Arabia). The virus called Backdoor Regin is a modular tool and is designed to be loaded in multiple stages which is an architecture similar to that used by the Duqu/Stuxnet family of threats. Symantec has released a white paper on Backdoor Regin. Some analysts see industrial targets as the logical next stage after the targeting of state organisations such as by Stuxnet. Backdoor Regin seems to be targeted at businesses and telecom ssytems. Symantec warns that “many components of Regin remain undiscovered and additional functionality and versions may exist.”


Confirmed Regin infections by sector – Symantec


An advanced spying tool, Regin displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals. 

An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.

It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.

The Stuxnet family was developed by the US and Israel and targeted the centrifuges at the Iranian nuclear fuel enrichment facility. Here too the second stage was deployed only after years of undetected operation with Stage 1.

Stuxnet, a joint U.S.-Israel project, is known for reportedly destroying roughly a fifth of Iran’s nuclear centrifuges by causing them to spin out of control. …

(The worm was reportedly tested at Israel’s Dimona nuclear facility.) 

Only after years of undetected infiltration did the U.S. and Israel unleash the second variation to attack the centrifuges themselves and self-replicate to all sorts of computers. And the first version of Stuxnet was only detected with the knowledge of the second. ….. 

The target countries reported by Symantec suggest to me that like Stuxnet, the Backdoor Regin spying tool is a US / Israeli development.

Regin uses a modular approach, giving flexibility to the threat operators as they can load custom features tailored to individual targets when required. Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors, further evidence of the level of resources available to Regin’s authors.

There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files. 

More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.


Confirmed Regin Infections by Country — Symantec

Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.

The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.  Additional analysis continues and Symantec will post any updates on future discoveries


%d bloggers like this: