Unidentified Country Likely Behind Spying Software


Cybersecurity researchers say they’ve identified a highly sophisticated computer-hacking program that appears to have been used by an as-yet-unidentified government to spy on banks, telecommunications companies, official agencies and other organizations around the world.

The malicious software, known as “Regin,” is designed to collect data from its targets for periods of months or years, penetrating deep into computer networks while covering its tracks to avoid detection, according to analysts at Symantec, the Silicon Valley security firm that disclosed the program’s existence in a report this week.

Citing factors including its complexity and the likelihood it took years to develop, Symantec security manager Vikram Thakur said Monday, “We think it could not have come from anybody except an extremely well-funded, organized nation-state.”

Unlike malware that’s been used to hack into retailers’ payment-processing systems, the Regin program isn’t focused on collecting large volumes of credit-card numbers or other financial-account information, he added. Instead, it’s more precisely targeted and can be used to collect screenshots, copy deleted files, steal passwords and monitor digital communications — including mobile-phone calls.

Evidence from contaminated computers shows the malware has been used since at least 2008, with half the known cases discovered in Russia and Saudi Arabia, Symantec said. Based on its design and behavior, experts at Symantec and other firms said they don’t believe it was developed in Russia or China, two countries that are often blamed for cyberattacks around the world.

Reports on two online news sites, Wired.com and The Intercept, cited circumstantial links to suggest the program was used in European cyberattacks that the former National Security Agency contractor Edward Snowden has blamed on U.S. and British intelligence agencies. Without drawing that conclusion, researchers at Symantec Corp. and other firms said Regin’s design was reminiscent of a sophisticated program known as Stuxnet, which The New York Times and The Washington Post have reported was developed by U.S. and Israeli agencies.

When asked about the reports, a spokeswoman for the NSA told The Associated Press, “We are not going to comment on speculation.”

Other experts cautioned that it’s difficult to trace the source of malware.

“It isn’t hard to make a piece of malware look like it came from anywhere in the world,” said Adam Kujawa of the security firm Malwarebytes Labs.

Regardless of the source, Symantec researchers called the design of the Regin program “groundbreaking and almost peerless.” Thakur said the company has been studying the malware since last year.

Another security firm, Kaspersky Labs, reported Monday that it began tracking the program in 2012. In its own report, Kaspersky said the program showed “mind-blowing” sophistication by penetrating several different computer networks in an unnamed Middle Eastern country. Rather than communicate with each target, the malware was able to avoid detection by using one network to relay commands to another. Kaspersky said it found evidence of Regin contamination in 14 different countries, including the Pacific island nations of Fiji and Kiribati.

An early version of the software was used to infect computers between 2008 and 2011, but it was then shut down and much of the code was removed remotely — apparently by its operators, Thakur said. A second version began appearing last year. Kaspersky researchers said they believe the program is still in active use.

Analysts say it’s unclear how the program entered the targeted computers, although Symantec said it found one example where it was introduced through a message sent on Yahoo’s Instant Messenger service.