Regin malware – one of the most extraordinary pieces of hacking software ever developed.

Rarely does a week go by without news of another high-profile cyber-attack or the discovery of another malware virus, yet despite numerous security warnings many businesses still purposefully choose to ignore the threats. For reasons that remain unclear they continue to believe that the internet is still a safe place to do business. Well, after the discovery of the latest sophisticated Regin virus by leading software company, Symantec, those businesses just might want to think again. In the opinion of Symantec, Regin isn’t just another regulation virus: it is a potentially destructive piece of malware that displays a degree of technical competence rarely seen before. According to Orla Cox, director of security response at Symantec, “[No other malware] comes close to this; [Regin] is one of the most extraordinary pieces of hacking software ever developed.”

Symantec likens Regin to the Stuxnet computer worm it discovered in 2010 – the virus that was allegedly used by the U.S and Israel to attack Iran’s nuclear centrifuges. However, unlike the Stuxnet virus which was designed to damage equipment, Regin’s purpose appears to be to collect information, and that is what is really worrying.  Who is responsible for unleashing such a potentially damaging virus? Well, the truth is nobody really knows for certain, though Symantec believes that the only conclusion is that was developed by a nation with some technological means:

“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.”

Symantec says that once installed on a computer Regin is capable of executing a range of destructive functions such as capturing screenshots, stealing passwords and recovering deleted files. It believes the malware has been used for the last 6 years and has been spying on a range of targets around the world from government organisations and businesses to private individuals;  most notably targets in Russia, Saudi Arabia and Ireland.

According to Symantec’s report almost half of all the identified infections occurred at addresses of Internet service providers. However, the targets were customers of the companies, rather than the companies themselves. Roughly 28 per cent of the targets were in telecoms, whilst the other victims were in the energy, airline, hospitality and research sectors.

One of the greatest concerns for businesses is that the malware appears to use several “stealth” features which mean that even when its presence is detected; it is still very difficult to ascertain what it is doing. According to Symantec’ report “many components of Regin remain undiscovered and additional functionality and versions may exist.”

Symantec described the malware as having five stages, each ‘hidden and encrypted, with the exception of the first stage.’ Its report claimed each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat. Symantec believes some of the features of Regin are similar to the Duqu malware which was discovered in 2011. Regin malware also uses a modular approach, like Flamer and Weevil (The Mask) malware: this capability to load custom- features tailored to specific targets has already seen the malware hack Microsoft email exchange servers and mobile phone conversations on major international networks.

If you are concerned about the escalating security challenges and risk management issues facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].