Anti-virus firms have been defending the timing of their disclosure of the technical capabilities of powerful Regin espionage malware. Some information security experts have criticized F-Secure, Kaspersky Lab and Symantec for not more quickly issuing public warnings about the malware, which experts say has sophisticated capabilities that rival those of Stuxnet and Flame (see Regin Espionage Malware: 8 Key Issues).

Symantec released the first detailed technical report into Regin on Nov. 23, leading to fellow anti-virus vendors F-Secure and Kaspersky Lab quickly following suit.

Some anti-virus vendors, however, have known about the existence of Regin for at least several years. Kaspersky Lab says it first began to hear about Regin in the spring of 2012, when it was tipped off to malware that resembled Duqu. F-Secure says it found the first related sample in 2009, which dates from 2008, but only became concerned after seeing a more advanced version debut in 2013. Symantec says it first began giving Regin a serious look in the fall of 2013.

But it wasn't until this week that all three firms released related reports, saying Regin's code complexity and attack sophistication means it is likely the work of a state-sponsored attacker. "Regin bears the hallmarks of a state-sponsored operation and is likely used as an espionage and surveillance tool by intelligence agencies," a Symantec spokeswoman tells Information Security Media Group.

While all three firms say they could only guess at the identity of Regin's sponsor - and declined to do so - some information security experts suggest that the United States and the United Kingdom, perhaps working together, should be on the shortlist of suspects. Several news reports suggest the malware may have been used to hack Belgian telecommunications firm Belgacom as well as the European Parliament. And some reports suggest those campaigns were run by the National Security Agency and GCHQ, which are respectively U.S. and U.K. intelligence agencies (see Espionage Malware Alert Sounded).

Did AV Vendors Delay?

The delay between discovery and disclosure - and the suggestion that Regin is a full-ledged, nation-state-crafted advanced persistent threat, perhaps authored by U.S. and U.K. cyberweapons teams - have led to questions about what anti-virus vendors knew, when they knew it, and whether they should have sounded related alerts sooner. "Why wait so long to talk about it?" asks Jeremiah Grossman, interim CEO of website security firm WhiteHat Security.

"Most anti-viruses started actually detecting it quite early, which is good. What isn't good is the secrecy around it for so long," says security researcher Claudio Guarnieri, a.k.a. "nex."

But all three anti-virus firms say that Regin didn't just magically reveal its capabilities one day. "This is an APT campaign we have been tracking for several years and the research was ongoing," a Kaspersky spokeswoman tells Information Security Media Group. F-Secure's chief research officer, Mikko Hypponen, likens the process to a puzzle, saying that thanks to work by security researchers from different firms - sometimes collaborating - they've been able to collectively put enough pieces together to understand some of the malware's capabilities.