Who developed Regin? Expert Candid Wüest tells DW that the malware could be the product of government espionage. His company Symantec detected the computer virus that has been stealing data worldwide since 2008.
DW: Mr. Wüest, there are many trojans and viruses out there. What makes Regin so special?
Candid Wüest: The special thing about this espionage tool is that it is very sophisticated and very stealthy. It is very rare that we see something as sophisticated as this one, maybe once in a year or every two years.
What is Regin's purpose?
It is quite clear that it is a mass surveillance tool. The main purpose is getting information from different targets. And this information could, for example, be documents that are stored on a machine. But they also infiltrated telecommunications backbones and are trying to extract metadata, lilke who is calling who, and this information is absolutely interesting for espionage agencies.
In addition to spying, do you think the tool could also be used to attack or destroy systems, like the Stuxnet virus, which targeted Iran's nuclear facilities?
We haven't seen any indication of sabotage like with Stuxnet that was actually damaging physical goods in the end, such as centrifuges. But this framework of Regin is actually very modular, which means there are probably 50 different modules and each module can either steal passwords, go through your calendar or snoop into the inner workings of telecommunication backbones. We believe it is just an espionage tool that is designed to get as much information as possible.
That sounds as if this wasn't developed in some kid's bedroom. Who could be capable of developing something that complex?
If we look at the level of sophistication and all the effort that was put into it - a few months, if not years, of work - we think it was most likely a nation state or a nation-state sponsored espionage framework. And also if we look at the main targets of Regin, which were Russia and Saudi-Arabia - there are only a few countries in the world that are actually capable of launching an attack like this.
So the US comes to mind?
It definitely would be a bigger country with a lot of resources. But on the other hand we don't have any proof or clear indication which country is behind it. So it is tough to speculate on that.
Is there any chance to find out where Regin is uploading data to?
It is nearly impossible to find that out. Communication servers are just a frontend, which then redirect traffic to a second, or even a third one, and they might even just be servers rented on a credit card in some country without any other details. So this gives little indication about who is actually behind it and who is receiving the data in the end.
How can I make sure my Computer is not infected?
Customers who use our software and keep it up-to-date have been protected from Regin since September 2013.
Candid Wüest is a Software Engineer at Symantec Advanced Threat Research in Zurich, Switzerland.