Tricky Regin malware poses biggest threat outside US

The hard-to-detect malware is a Swiss Army knife of clandestine tools to extract information from targets in non-English speaking countries, experts say.

fig3-countries.png
Regin targets mostly non-English speaking countries. Symantec

News of the latest advanced malicious software threat called Regin comes with a silver lining. The good news is most people in the English-speaking world won't have to worry about it.

The bad news? Everyone else does.

Pronounced "region," the malware is a cyber-espionage tool built to steal the secrets of many foreign governments and businesses, said a report published Sunday by security specialist Symantec. Regin avoids detection with a specialized design as it ferrets out critical information. It's been used since 2008 to infiltrate email databases, monitor network traffic, steal passwords, snag screenshots and record mouse clicks.

"Once you are a target it's been proven to be very effective," said Joost Bijl of Fox IT, a Dutch computer security company hired by Belgian telecommunications firm to remove its Regin from its systems.

International espionage has entered the 21st century through viruses, malware and other targeted pieces of software designed to steal state secrets and break computers. Stuxnet, a powerful program said to have been created by the United States and Israel, is believed to have damaged some of Iran's nuclear ambitions, thanks to the use of a simple USB drive.

The conflict that has followed is fierce. Armies of government-sponsored hackers have attacked computer systems all over the world, using a variety of software tools at their disposal.

Regin could represent a new, more advanced wave, something Symantec called "groundbreaking" and "almost peerless" in its report. Why is it so special? Who it targets, and who it doesn't.

fig2-sectors.png
Telecoms and small businesses comprise most of Regin's targets. Symantec

While many of the documents leaked by National Security Agency contractor Edward Snowden last year point to espionage committed against the closest of US allies, Regin appears to have spared five English-speaking countries: The US, the United Kingdom, Australia, New Zealand and Canada. Among the countries where researchers detected infections were Germany, Russia, Saudi Arabia, Syria, Brazil, Belgium, Mexico, India, and Ireland.

While the advanced nature of Regin makes it hard to detect and resistant to forensic analysis, it's not likely to filter down to affect the average Internet user -- even in targeted countries. Regin is aimed at telecommunications firms, critical infrastructure providers and businesses.

Those companies and government agencies should make sure they encrypt their data and communications so only authorized people can read them, said Symantec researcher Vikram Thakur. Also, he said employees should be judicious about which emails they read. "Don't just open up every free coupon that shows up in your email."

Despite the risks to businesses likely to be targeted by Regin, there's little concern its advanced design will find its way into the hands of cyber-criminals who target consumer's identities, said Timo Hirvonen, a senior researcher at Finnish computer security company F-Secure. It's so advanced, Regin isn't worth the effort it would take to copy .

"We're not going to see copycats targeting consumers," Hirvonen said.

Correction, 11:02 a.m. PT:This story initially mischaracterized Ireland's allegiances. Ireland is part of the European Union, not the United Kingdom.

Featured Video