So far Symantec has identified hundreds of infections, which means that operations have been highly targeted.
So far Symantec has identified hundreds of infections, which means that operations have been highly targeted.

A nearly peerless, multi-staged and modular spying tool known as Regin is being referred to by Symantec, the security company that initially released information on the malware, as ‘groundbreaking' – particularly because of the advanced techniques it uses to conceal itself.

The sophistication of the threat and the skill sets being used in operations possibly dating back to 2008 have led Symantec to believe that Regin is being used by a nation-state, Orla Cox, senior operations manager with Symantec Security Response, told SCMagazine.com on Monday.

“We believe this is a tool that's used for intelligence gathering by a nation-state,” Cox said, explaining that numerous people would be needed to sift through the large amounts of data being gathered. “Looking at the code, there's no firm indicators of origin – country or otherwise.”

So far Symantec has identified hundreds of infections, which means that operations involving Regin have been highly targeted, Cox said.

The majority of observed Regin infections, 28 percent, have been in Russia, with 24 percent in Saudi Arabia, nine percent in Mexico and Ireland, and five percent in India, Afghanistan, Iran, Belgium, Austria and Pakistan, according to a whitepaper released by Symantec on Sunday.

At 48 percent, nearly half of observed infections have been private individuals and small businesses, the whitepaper indicates, with Cox explaining that targeted individuals have skill sets and knowledge that are of interest to the Regin operators. 28 percent of observed infections have been telecoms backbone, nine percent are hospitality, and five percent are in the energy, airline and research sectors.

“The attackers compromise GSM Base Station Controllers, which are computers controlling the GSM infrastructure,” Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, told SCMagazine.com in a Monday email correspondence. “This allows them to control GSM networks and launch other types of attacks, including the interception of calls and SMSes.”

Kaspersky Lab published its own research on Monday – also indicating that the operation is likely supported by a nation-state – and Raiu said that the Global Research and Analysis Team observed 27 victims in 14 countries, with a single victim possibly having several infected computers.