Posts Tagged‘spying’

Regin: The Spies’ Stuxnet.

It’s really hard to have anything but admiration for Stuxnet. It was the first piece of software that could be clearly defined as a weapon, one with a very specific purpose in mind that used all manner of tricks to accomplish its task. Since its discovery there hasn’t been another piece of software that’s come close to it in terms of capability although there’s always rumours and speculation of what might be coming next. Regin, discovered by Symantec, has been infecting computers since at least 2008 and is the next candidate for the cyber-weapon title and whilst its mode of operation is more clandestine (and thus, a little more boring) it’s more what it’s not that interests me most.

Regin Architecture

Unlike Stuxnet, and most other malware you’ll encounter these days, Regin is designed to infect a single target with no further mechanism to spread itself. This is interesting because most run of the mill malware wants to get itself onto as many machines as possible, furthering the chances that it’d pick up something of value. Malware of this nature, one that we haven’t identified a specific infection vector for, means that it’s purpose is far more targeted and was likely developed with specific targets in mind. Indeed the architecture of the software, which is highly modular in nature, indicates that Regin is deployed against a very specific subset of targets rather than allowing it to roam free and find targets of interest.

Regin has the ability to load up various different modules depending on what its command and control servers tell it to do. The functions range from interchangeable communication methods (one of which includes the incredibly insidious idea of encoding data within ping packets) to modules designed to target specific pieces of software. It’s quite possible that the list Symantec has created┬áisn’t exhaustive either as Regin attempts to leave very little data at rest. Indeed Symantec hasn’t been able to recover any of the data captured by this particular bit of malware, indicating that captured data is likely not stored for long, if at all.

Due to its non-worm nature the range of targets that Regin has infected gives a pretty good indication as to what it’s intended purpose is. The two largest groups of targets were individuals or telecommunications backbones, indicating that its purpose is likely information gathering on a large scale. The location of of infections indicates that this piece of software was likely western in origin as the primary targets were Russia and Saudi Arabia with very few targets within western countries. It’s unlikely that this tool was developed for a specific operation due to its modular nature however, so I don’t believe there’s any relationship between different infections apart from them using the same framework.

Just like Stuxnet I’m sure we won’t know the full story of Regin for some time to come as software of this nature is incredibly adept at hiding its true purpose. Whilst its capabilities appear to be rather run of the mill the way in which it achieves this is very impressive. More interesting though is it’s non-worm nature which, whilst it may have prevented its detection for some time, hints heavily to its true purpose and origin. I’m really looking forward to further analysis of this particular piece of software as it gives us a rare insight into the world of clandestine cyber warfare operations.