The malware, dubbed Regin by researchers at Symantec who first discovered it, is so complex that most analysts believe it could only have been developed by a nation-state with powerful cyber attack capabilities — such as the UK, USA, Russia, China or Israel.
They disclosed that five percent of all infections they discovered were found in Austria. Other countries targeted include the Russian Federation (28 percent), Saudi Arabia (24 percent), Mexico and Ireland (9 percent each), and Iran, India, Afghanistan, Belgium and Pakistan, each with five percent.
Belgium was most likely a target because its telco Belgacom handles communications for the European Union institutions, which appear to have been the target of a GCHQ operation known as "Operation Socialist."
Regin is a back-door-type Trojan, "customizable with an extensive range of capabilities depending on the target," Symantec said, adding that "it provides its controllers with a powerful framework for mass surveillance." Its development probably took months "if not years" and "its authors have gone to great lengths to cover its tracks."
The malware uses several stealth features “and even when its presence is detected, it is very difficult to ascertain what it is doing,” according to Symantec. It said “many components of Regin remain undiscovered and additional functionality and versions may exist.”
Almost half of all infections occurred at addresses of Internet service providers, the report said. It said the targets were customers of the companies rather than the companies themselves. About 28 percent of targets were in telecoms while other victims were in the energy, airline, hospitality and research sectors, Symantec said.
In June, Germany's Der Spiegel reported that the NSA was actively infiltrating and spying on the European Union and its senior diplomats, including those in New York and Washington, as well as at Nato in Belgium.
Some of the techniques used by the malware — including its modular nature, and the highly valuable attack vectors used — strongly suggest that the spy software was developed by the same country which developed Stuxnet and Duqu, widely believed to be a collaboration between the USA and Israel.
The malware has been most active in the period of 2011 until 2013, although some elements date back to 2003, according to reports.