Several years into President Obama’s tenure, he grappled with a seemingly intractable problem: How to halt Iran’s pursuit of a nuclear bomb without launching a military campaign? One possible way would come to be called Stuxnet, “the world’s first digital weapon.” First developed under the George W. Bush administration, it is believed the program was used in collaboration with Israel to cripple Iran’s nuclear capabilities and befuddle scientists.
Now another chapter of intergovernmental cyberwarfare has arrived under the name “Regin.” Discovered by Symantec, which also ferreted out Stuxnet in 2010, the new cyberweapon appears government-made — “one of the most sophisticated pieces of malicious software ever seen,” the BBC reported.
The years of study put into the spyware — not to mention the software’s attempts to cover its tracks — led Symantec to suspect it has uncovered a prominent nation’s most powerful cyber-spying tool. “It provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals,” said a Symantec report. “The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.”
As of Monday morning, it remained unclear which “nation state” might be responsible. But through its targets, which span governments, institutions and individuals throughout the world, several clues have emerged. According to Symantec, its roots date back to as early as 2008, if not 2006, and attacks have focused on 10 nations. Twenty-eight percent of the infections occurred in Russia, with another 24 percent hitting Saudi Arabia. Five percent more were in Pakistan, and another 5 percent in Iran.
Noticeably absent from the target list were both China and the United States. With Symantec discerning traces of Western technology in the super-spyware, some analysts suspect the United States or Israel is behind the technology, though there doesn’t appear to be any proof to corroborate such suspicion.
“It looks like it comes from a Western organization,” security strategist Sian John told the BBC. “It looks like it comes from a Western organization. It’s the level of skill and expertise, the length of time over which it was developed.” Researcher Liam O’Murchu added in an interview with Re/code: “The best clues we have are where the infections have occurred and where they have not. We know it was a government that is technically advanced. … This has been a huge spying campaign dating back at least to 2008 and maybe even as early as 2006.”
How the spyware works: It attacks Microsoft Windows in five stages. No single stage tells a defender what’s going on. To understand that, all five stages have to be detected and decrypted. As a result, users have no idea of the danger until the targeted computer is firmly in the grip of the spyware, which by then is capturing screenshots and passwords and retrieving files — including deleted files.
The intricacy and the subtlety of the software is stunning, Symantec said in a statement. The five-stage data raid betrays few hints about the complete package. Only by analyzing all five stages simultaneously would victims grasp what was happening.
“It provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers and private individuals,” Symantec said. “Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber-espionage tools used by a nation state.”