Computer security firms Symantec, Kaspersky, and Fox IT have all issued
preliminary findings on the Regin malware program, since Symantec
first raised the public alarm on the virus on Sunday.
"Regin is a highly complex threat which has been used in systematic data
collection or intelligence-gathering campaigns," Symantec said in a
paper on the virus published late Monday. "The development and operation
of this malware would have required a significant investment of time
and resources, indicating that a nation-state is responsible."
Symantec virus hunter
Candid Wüest told DW
that it was "quite clear that this is a mass-surveillance tool,"
detailing the Trojan's advanced data-gathering capabilities. He also
noted that the major targets of the program, found in the greatest
concentration in Russia and Saudi Arabia, offered potential clues as to
the country of origin.
The Kaspersky Lab similarly spoke of "mind-blowing" sophistication in
its report, saying it now believes that it first saw a version of Regin
in 2012. In Finland, Antti Tikkanen from F-Secure perhaps came the
closest to dropping a name: "Our belief is that this malware, for a
change, isn't coming from Russia or China."
An unidentified state security source warned the Financial Times that
the target countries could prove a red herring, saying: "Certain states
and agencies may well use tools of this sort domestically."
Dutch expert convinced
German news magazine Der Spiegel reported on Tuesday that Ronald Prins,
the head of Dutch computer security firm Fox IT, was "sure" that either
the US National Security Agency or its UK equivalent, the GCHQ, appeared
the most likely source of the malware. According to the report, Prins
was confident he had found elements within the Regin architecture
explicitly mentioned in now-public NSA documents listing its tools,
namely Straitbizarre and Unitedrake.
Online magazine The Intercept, founded by journalist and erstwhile
Edward Snowden confidant Glenn Greenwald, reported that the virus had
been used for the alleged GCHQ cyberattacks on Belgacom and some EU
computer systems.
The information made public by the former NSA contractor Snowden last
year revealed the close working relationship between the "five eyes"
alliance of Anglophone countries, especially between Britain and the US.
The Stuxnet virus discovered in 2010, targeting Iran's nuclear
facilities in particular, is now broadly believed to have been a
US-Israeli development aimed at Tehran, according to stories reported in
outlets including The New York Times and Washington Post. Regin
appears, unlike Stuxnet, to focus entirely on the gathering of
information, rather than sabotage, Symantec's Wüest told DW.
msh/mkg (AFP, AP,dpa)