The espionage tool has been found primarily on systems in Russia and Saudi Arabia, though it's presence has been detected in smaller numbers in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria, and Pakistan. Over half of all confirmed cases were on machines in Russia and Saudi Arabia.
"ITS AUTHORS HAVE GONE TO GREAT LENGTHS TO COVER ITS TRACKS."
As you might expect, something this complex isn't designed to steal your credit card numbers. The sophistication of the software, and its confirmed targets, according to Symantec, makes almost certain that the malware is state-sponsored. In fact, the researchers say that it is similar to the Stuxnet worm that was allegedly designed sabotage Iran's nuclear program. They should know: this group of computer security experts are the same team that first discovered Stuxnet. The US, Israel, and China are believed to be among the nations with the funding and expertise to develop and execute such attacks.
What's not clear is how the malware executes an attack. In just one single confirmed case, it exploited an undiscovered Yahoo Messenger vulnerability, but the researchers speculate that it can use spoofed versions of popular websites or other application holes to gain access to computer systems.
The pattern of attacks does show, however, that the software has been used for years. "This has been a huge spying campaign dating back at least to 2008 and maybe even as early as 2006," researcher Liam O’Murchu tells Recode. Attacks abruptly halted in 2011, before an updated version of the malware was introduced to the web in 2013. There's still much that's unknown, but now that Regin's existence has been publicized, we should expect more details to trickle out over the coming months.