The spy inside

Subscribe Now Choose a package that suits your preferences.
Start Free Account Get access to 7 premium stories every month for FREE!
Already a Subscriber? Current print subscriber? Activate your complimentary Digital account.

Dangers are growing in cyberspace. Not only are thieves learning to siphon off millions of credit card numbers and email addresses but elaborate pieces of malware are capable of spying on whole organizations for long periods of time, capturing computer screens, keystrokes and data, transmitting it all to distant servers without being detected.

Dangers are growing in cyberspace. Not only are thieves learning to siphon off millions of credit card numbers and email addresses but elaborate pieces of malware are capable of spying on whole organizations for long periods of time, capturing computer screens, keystrokes and data, transmitting it all to distant servers without being detected.

Symantec, a cybersecurity company, has announced the discovery of a new example of this sophistication, called Regin, apparently designed for intelligence collection, and comparable in power and complexity with Stuxnet, the computer worm reportedly used by the United States a few years ago to sabotage Iran’s uranium enrichment program. The new spyware does not resemble the evasive bits of code that scoop up credit card data. Rather, according to Symantec, Regin is built for long-term, under-the-radar espionage and surveillance; it comes with many modular pieces that can be custom-fitted to the target of the attack; and it has already been used against governments, infrastructure operators, businesses, academics and private individuals.

“It goes to extraordinary lengths to conceal itself and its activities on compromised computers,” the company reported. “Its stealth combines many of the most advanced techniques that we have ever seen in use.” Threats like this are “rare,” the company said, and the sophistication underscores how significant resources are being poured into this kind of mega-weapon in cyberspace. The Washington Post’s Ellen Nakashima reported that the spyware can also grab control of cellphone towers and monitor calls.

But who is behind it? Symantec could not identify the origins. Confirmed infections have shown up mostly in Russia (28 percent) and Saudi Arabia (24 percent) but none in the United States, Israel or Britain. It may well be another example of American ingenuity in service of intelligence missions, like Stuxnet, but the reality of cyberconflict is fingerprints can often be difficult to discern. The line between defense and offense, and between nation-states and other groups, can be hazy. Another security firm, Cylance, has reported Iranian groups hacked into a range of international targets, including airlines, military and energy complexes, hospitals, telecommunications and other institutions.

Networks in the United States remain vulnerable to intrusion, disruption, theft, espionage and attacks that could produce physical damage, all weaknesses that cry out for a more aggressive defense than has been mounted so far. Although the U.S. military is standing up a major cyber effort, both offensive and defensive, private-sector networks in the nation are overly exposed. These networks are the backbone of the economy, health care, education, transportation, energy and countless other critical functions. In the future, attacks are certain to be aimed at them with potentially dire consequences.

Warnings about this have been issued for several years, with insufficient effect. Adm. Michael S. Rogers, the new head of the National Security Agency and U.S. Cyber Command, recently predicted a cyberattack on critical U.S. infrastructure — such as water or electrical systems — in the next decade, saying it is “only a matter of when, not if, we are going to see something dramatic.” He added, “This is not theoretical.” Or reassuring.