Security researchers have revealed details about a malware campaign that has compromised multiple countries since 2008. Called Regin, the malware is suspected to be a state-funded attack against the multiple targets (including those in Malaysia); although researchers are not yet certain of what it is intended to achieve.
Regin is one of the most modular piece of malware in existence, allowing its creators to adapt it to do almost anything they want. It has been discovered to be able to remotely take control of systems, capture screenshots, or simply monitor network traffic. This modular nature has lead Regin to be discovered in a variety of systems, from telecommunication companies, government bodies, ISPs, academics, and even unfortunate individuals.
The most dangerous aspect of Regin is its ability to attack GSM networks and map the infrastructure. This was discovered on a Belgian telco that found it malware in its internal network.
Due to the variety of targets, nobody is entirely sure about what it data is meant to be captured. Symantec suspects that it is a general purpose government sponsored surveillance tool meant to keep an eye on anything the creators deem worthy. This would explain why some 48-percent of the compromised systems are regular people and small businesses.
F-Secure also supports this theory, and goes as far as to suggest that it is the work of Western governments lead by the US. The company points out that none of the compromised systems are in the “Five Eyes” countries, which is a multilateral agreement to share intelligence information between the US, UK, Canada, Australia, and New Zealand. Traditional government malware suspects Russia and China have been ruled out due to the number of compromised systems in Russia and Saudi Arabia.
While Regin has been at large since 2008, it has apparently been quite focused in deployed; which is why it took researchers so long to discover its existence. The fact that it has mainly been set to observe activity without drawing attention to itself is another reason the malware has managed to go undetected.