On November 23rd, Symantec, the American antivirus company, announced the discovery of a piece of software called Regin, which it had found lurking on computers and stealing data in Ireland, Russia, Saudi Arabia and several other countries. Its sophistication and stealth led Symantec to conclude that it must have been created by a nation-state.
The Regin software appears to have been lurking on some computer systems from as long ago as 2008 and Symantec said it was unusually low-key, meaning it could be used on a target for several years before being noticed. Symantec have described the purpose of Regin as “intelligence gathering” and said: “It is used for the collection of data and continuous monitoring of targeted organizations". Regin appears to be significantly more sophisticated than most other examples of hacking software as it could take screenshots, control the cursor and steal passwords.
While most computer viruses and hacking malware are produced by individual hackers or criminal gangs, the sophistication of Regin has led commentators to conclude that it must have been produced by a nation state. This is just the latest in a growing trend of sophisticated, state sponsored hacking attacks. The most famous example of such an attack is the ‘Stuxnet’ virus. Stuxnet was discovered in 2010 and was designed (according to experts in the field, almost certainly by America and Israel) to hijack industrial-control systems. It was deployed against Iran’s nuclear program, and caused widespread damage by destroyed centrifuges that were being used to enrich uranium.
Ireland has the fourth highest rate of infiltration by Regin in the world with almost 10% of infiltration incidences happening in Ireland. Irish companies should be aware of the threat posed by increasingly sophisticated hacking attacks particularly from software such as Regin which could be used for industrial espionage.
Under Irish law, infiltrations such as those carried out by Regin could be considered an offence under a number of different grounds. From a data protection perspective, pursuant to section 22 of the Data Protection Acts 1988 and 2003, it is an offence to obtain access to personal data without the prior authority of the data controller by whom the data is kept and to disclose the data to another person while sections 2 and 5 of the Criminal Damage Act 1991 could also make infiltrations such as those carried out by Regin an offence. Finally, section 9 of the Criminal Justice (Theft and Fraud Offences) Act 2001 could make the infiltrations carried out by Regin an offence as section 9 states that it is an offence for a person to "dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with the intention of making a gain for himself or herself or another or of causing a loss to another". Further legislative provision to deal with such hacking attacks will be provided in the forthcoming Criminal Justice (Cybercrime) Bill, the heads of which have been agreed and is currently being drafted.