No-one knows for sure who created the highly-sophisticated Regin malware that appears to have been spying on organisations in the telecommunications, energy and health sectors for some years.
Other victims appear to have included organisations in Russia, Saudi Arabia, Mexico, Iran, Syria, Pakistan, Afghanistan and Ireland – with telecoms companies apparently particularly finding themselves in the firing line.
What’s curious, as the above chart from Symantec reveals, is that some countries don’t make the chart at all.
For instance, none of the “Five Eyes” countries (Australia, Canada, New Zealand, the UK, and the United States) make an appearance.
If Regin was written by conventional cybercriminals it would seem strange for them to avoid such potential rich targets.
So, chances are, it wasn’t written by traditional cybercrooks. Regin, it is widely suspected, was written by an intelligence agency.
So, if the suspicion that a state-sponsored actor is responsible for Regin is correct, who was it?
The truth is, I don’t know. Attribution of attacks is always tremendously difficult. But let me put it this way – I wouldn’t be at all surprised if the UK’s GCHQ and/or the NSA were involved.
And I’m not in anyway dissuaded as more clues come to light, such as those included in this tweet from Costin Raiu, a security researcher at Kaspersky Lab:
#Regin internal module codenames: LEGSPINv2.6, WILLISCHECKv2.0, HOPSCOTCH.
— Costin Raiu (@craiu) November 24, 2014
America isn’t known for its love of cricket. England is. But it hardly has a monopoly on love for the sound of leather on willow. After all, Australia, India, Pakistan and some Caribbean islands have been known to be quite partial to wasting days on end watching a game which may very well end in a draw.
So, is it possible that Regin was coded by a GCHQ operative who is also a cricket obsessive, or someone else who is trying to point the blame in that direction?
Further reading on Regin: