comscore Foreign country likely behind newly found malware | Honolulu Star-Advertiser
Business | Top News

Foreign country likely behind newly found malware

Honolulu Star-Advertiser logo
Unlimited access to premium stories for as low as $12.95 /mo.
Get It Now
    A South Korean computer researcher looked at a computer monitor as he checked the shutdown computer servers of Korean Broadcasting System (KBS) at Evidence Acquisition Lab of Cyber Terror Response Center at National Police Agency in Seoul

SAN FRANCISCO >> Cyber-security researchers say they’ve identified a highly sophisticated computer hacking program that appears to have been used by an as-yet unidentified government to spy on banks, telecommunications companies, official agencies and other organizations around the world.

The malicious software known as “Regin” is designed to collect data from its targets for periods of months or years, penetrating deep into computer networks while covering its tracks to avoid detection, according to analysts at Symantec, the Silicon Valley security firm that disclosed the program’s existence in a report this week.

Citing factors including its complexity and the likelihood it took years to develop, Symantec security manager Vikram Thakur said Monday, “we think it could not have come from anybody except an extremely well-funded, organized nation state.”

Unlike malware that’s been used to hack into retailers’ payment-processing systems, the Regin program isn’t focused on collecting large volumes of credit card numbers or other financial account information, he added. Instead, it’s more precisely targeted and can be used to collect screenshots, copy deleted files, steal passwords and monitor digital communications — including mobile phone calls.

Evidence from contaminated computers shows the malware has been used since at least 2008, with half the known cases discovered in Russia and Saudi Arabia, Symantec said. Based on its design and behavior, experts at Symantec and other firms said they don’t believe it was developed in Russia or China, two countries that are often blamed for cyberattacks around the world.

Reports on two online news sites, and The Intercept, cited circumstantial links to suggest the program was used in European cyberattacks that the former National Security Agency contractor Edward Snowden has blamed on U.S. and British intelligence agencies. Without drawing that conclusion, researchers at Symantec Corp. and other firms said Regin’s design was reminiscent of a sophisticated program known as Stuxnet, which The New York Times and The Washington Post have reported was developed by U.S. and Israeli agencies.

When asked about the reports, a spokeswoman for the NSA told The Associated Press, “We are not going to comment on speculation.”

Other experts cautioned that it’s difficult to trace the source of malware.

“It isn’t hard to make a piece of malware look like it came from anywhere in the world,” said Adam Kujawa of the security firm Malwarebytes Labs.

Regardless of the source, Symantec researchers called the design of the Regin program “groundbreaking and almost peerless.” Thakur said the company has been studying the malware since last year.

Another security firm, Kaspersky Labs, reported Monday that it began tracking the program in 2012. In its own report, Kaspersky said the program showed “mind-blowing” sophistication by penetrating several different computer networks in an unnamed Middle Eastern country. Rather than communicate with each target, the malware was able to avoid detection by using one network to relay commands to another. Kaspersky said it found evidence of Regin contamination in 14 different countries, including the Pacific island nations of Fiji and Kiribati.

An early version of the software was used to infect computers between 2008 and 2011, but it was then shut down and much of the code was removed remotely — apparently by its operators, Thakur said. A second version began appearing last year. Kaspersky researchers said they believe the program is still in active use.

Analysts say it’s unclear how the program entered the targeted computers, although Symantec said it found one example where it was introduced through a message sent on Yahoo’s Instant Messenger service.

AP National Reporter Martha Mendoza contributed to this report.

Comments have been disabled for this story...

Click here to see our full coverage of the coronavirus outbreak. Submit your coronavirus news tip.

Be the first to know
Get web push notifications from Star-Advertiser when the next breaking story happens — it's FREE! You just need a supported web browser.
Subscribe for this feature

Scroll Up