A sophisticated cyberespionage and data-gathering operation using advanced software has been systematically attacking a range of global targets including businesses, governments and individuals.
And many of the malware's components remain undiscovered and could still be active, according to cybersecurity company Symantec Corp., which describes the threat as "one of the few rare examples" that can "truly be considered groundbreaking and peerless."
Mountain View, Calif.-based Symantec says the malware – known as "Regin" – was likely developed by a "nation state" and has been operating since "at least" 2008.
The attacks are the latest in a series of increasingly complex and hard-to-detect data and intelligence breaches that range from credit-card data theft to corporate and government espionage.
"An advanced spying tool, Regin displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals," Symantec said on its blog Sunday.
Industry experts agreed Regin appears to be the work of a nation state. "I would think it's either North Korea, Russia, China or some combination of them," said Gartner analyst Avivah Litan. Andrew Nowinksi, an analyst with Piper Jaffray who follows cybersecurity companies, said Regin "is probably malware we [the United States] created, not something that we're trying to get rid of" as it appears that it wasn't detected in the U.S. "I don't necessarily think it changes the game for enterprise" customers or will change their spending patterns on cybersecurity defences. "This specific malware, I don't think changes anything."
Ray Vankrimpen, a partner with Richter Advisory Group's risk management group in Toronto, said the malware "is probably old news for those involved in cyberwarfare or military operations" and questioned why Symantec "has suddenly made a big deal about this," speculating it might be that "more noise on cybersecurity can help bolster cybersecurity budgets."
Among the victims are Internet service providers and telecom companies. Activity has been focused mostly on 10 countries, said Symantec, which makes Norton antivirus products. Canada is not on the list, but Russia and Saudi Arabia account for about half of the confirmed infections. Mexico, Iran, Pakistan, Afghanistan, India, Ireland, Austria and Belgium are also on the list.
The malware can be tailored, depending on what organization or individual is being targeted, according to Symantec. Capabilities include capturing screenshots, stealing passwords, taking control of the mouse's point-and-click function, monitoring network traffic and gathering information on processes and memory use. It can also search for and retrieve deleted files.
Microsoft Exchange e-mail servers and mobile-phone conversations on the major international networks have been cracked, Symantec said.
"It is likely that [Regin's] development took months, if not years, and its authors have gone to great lengths to cover its tracks" including orchestrating its attacks in five stages over a prolonged period, with most actions hidden and encrypted, Symantec said. Even when its presence is detected it is hard to find out exactly what it is up to, the cybersecurity firm said.
Regin infections have been observed in a variety of organizations between 2008 and 2011, after which it was suddenly withdrawn, to be followed by a new version from 2013 onward, Symantec said. Ms. Litan called Regin "ominous" but said its discovery "is actually good news. It "shows we're gaining ground in understanding the enemy."
Targets of the malware may be tricked into going onto spoofed versions of well-known websites or the virus could be installed through a Web browser or by exploiting an application, Symantec said.
"We have not been affected and we are actively monitoring our network to help make sure this threat does not affect our systems or disrupt service to our clients," Royal Bank of Canada spokesman Don Blair said in an e-mail message Monday.
A spokesman at Microsoft said that the company "has nothing to share."