Regin Malware: Stuxnet’s Spiritual Heir?

As if IT security community hasn’t had enough bad news recently, this week has begun with a big one: according to a report from Symantec, a new, highly sophisticated malware has been discovered, which the company dubbed “Regin”. Apparently, the level of complexity and customizability of the malware rivals if not trumps its famous relatives, such as Flamer, Duqu and Stuxnet. Obviously, the investigation is still ongoing and Symantec, together with other researchers like Kaspersky Lab and F-Secure are still analyzing their findings, but even those scarce details allow us to make a few far-reaching conclusions.

Let’s begin with a short summary of currently known facts (although I do recommend reading the full reports from Symantec and Kaspersky Lab linked above, they are really fascinating if a bit too long):

  1. Regin isn’t really new. Researchers have been studying its samples since 2012 and the initial version seems to have been in use since at least 2008. Several components have timestamps from 2003. Makes you appreciate even more how it managed to stay under radars for so long. And did it really? According to F-Secure, at least one company affected by this malware two years ago has explicitly decided to keep quiet about it. What a ground for conspiracy theorists!
  2. Regin’s level of complexity trumps practically any other known piece of malware. Five stages of deployment, built-in drivers for encryption, compression, networking and virtual file systems, utilization of different stealth techniques, different deployment vectors, but most importantly a large number of various payload modules – everything indicates a level of technical competence and financial investment of a state-sponsored project.
  3. Nearly half of affected targets have been private individuals and small businesses and the primary vertical the malware appears to be targeting is telecommunications industry. According to Kaspersky Lab’s report, code for spying on GSM networks has been discovered in it. Geographically, primary targets appear to be Russia and Saudi Arabia, as well as Mexico, Ireland and several other European and Middle Eastern countries.
So, is Regin really the new Stuxnet? Well, no. Surely, its incredible level of sophistication and flexibility indicates that it most certainly is a result of a state-sponsored development. However, Regin’s mode of operation is completely opposite to that of its predecessor. Stuxnet has been a highly targeted attack on Iranian nuclear enrichment facilities with the ultimate goal of sabotaging their work. Regin, on the other hand, is an intelligence-gathering spyware tool, and it doesn’t seem to be targeted on a specific company or government organization. To the contrary, it’s a universal and highly flexible tool designed for long-term covert operations.

Symantec has carefully avoided naming a concrete nation-state or agency that may have been behind this development, but the fact that no infections have been observed in the US or UK is already giving people ideas. And, looking at the Regin discovery as a part of a bigger picture, this makes me feel uneasy.

After Snowden’s revelations, there’s been a lot of hope that public outcry and pressure on governments will somehow lead to major changes limiting intelligence agencies’ powers for cyber spying. Unfortunately, nothing of that kind has happened yet. In fact, looking at the FUD campaign FBI and DoJ are currently waging against mobile vendors (“because of your encryption, children will die!”) or the fact that the same German BND intelligence service that’s promoting mandatory encryption is quietly seeking to install backdoors into email providers and spending millions on zero-day exploits, there isn’t much hope for a change left. Apparently, they seem oblivious to the fact that they are not just undermining trust in the organizations that supposedly exist to protect us from foreign attackers, but also open new attack surfaces for them by setting up backdoors and financing development of new exploits. Do they honestly believe that such a backdoor or exploit won’t be discovered and abused by hackers? This could probably be a topic for a separate blog post…

Isn’t it ironic that among all the talks about Chinese and Russian hackers, the biggest threat to our cybersecurity might come from the West?



KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

KuppingerCole on social media

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00