The Regin malware uncovered by Symantec appears to be the work of Western intelligence agencies, after further research revealed that none of the so-called 'Five Eyes' nations has been infected by the tool.
Research by Kaspersky Lab has revealed that 14 nations have so far been identified as being infected by Regin, including Russia, Iran and Germany, but not the UK, the US, Australia, New Zealand or Canada, as the map below shows.
Kaspersky also noted that it is odd that Fiji and Kiribati are victims of Regin. "Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual," it said.
"To put this into context, Kiribati is a small island in the Pacific with a population of around 100,000."
The report by Kaspersky also reveals that the Regin tool has been used to access mobile networks, undoubtedly to siphon off data, which again suggests the work of US and UK spy agencies in light of other operations revealed by Edward Snowden.
"The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations," said the security firm.
"Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users."
The Regin tool was first revealed by Symantec, and has been used in spying campaigns against government and corporate targets since 2008.
Symantec said that the Backdoor.Regin spyware displays "a degree of technical competence rarely seen", and has been used to target major organisations and individuals across the globe.
Symantec's research indicated that Regin is likely to have been developed over many years by a nation state for surveillance operations, given the capabilities and resources behind the malware.
"The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible," explained Symantec.
"Its design makes it highly suited for persistent, long-term surveillance operations against targets."
Regin's advances derive from its 'stealth' features, including anti-forensic capabilities, two encryption features, and the ability to communicate using covert methods such as hiding commands in HTTP cookies.
"Regin goes to some lengths to hide the data it is stealing. Valuable target data is often not written to disk. In some cases, Symantec was able to retrieve the threat samples but not the files containing stolen data," said Symantec in a Regin white paper (PDF).
Regin is a multi-stage threat that hides and encrypts each stage except the first. The malware then starts a domino effect of decryption, and loads the four subsequent stages.
"Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat," said Symantec.
The software can also deliver customised payloads, most of which appear to have been designed with spying in mind. Potential payloads include remote access features such as taking screenshots, stealing passwords and monitoring web traffic.
Symantec's research shows that 48 percent of snooping attacks in the six years since Regin has been in action were on individuals or small businesses, and a further 28 percent on telecoms backbone operators.
The rest of the Regin attacks were focused on airline, energy and hospitality companies.
Some 28 percent of these attacks occurred in Russia and 24 percent in Saudi Arabia. Other targets included Mexico, India, Afghanistan and Ireland.
Mark James, security specialist at ESET, said that Regin's adaptive nature has helped it to go undetected by security firms for years.
"The malware itself is very capable at customising itself to take on any number of roles and this I believe is what has kept it reasonably undetected and in the wild for so long," he said.
"The code is quite complex and uses encryption to protect itself along with storing its data within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of disk.
"This all makes it harder to detect as most traditional malware does not use these places."
Symantec has identified two versions of Regin. Version 1.0 appears to have been used from at least 2008 until disappearing in 2011.
Version 2.0 has been used since 2013, although Symantec has recovered only small amounts of the 64-bit Regin files. Symantec said that more versions are likely to be in existence.
James echoed Symantec's assertions about multiple versions of Regin. "We would be naive to think that there aren't other very similar complex pieces of malware out there undetected, quietly sitting on hardware gathering data and sending it back for intelligence and malicious means," he said.
Symantec compared Regin with the Stuxnet and Duqu families of malware, but said that Regin was designed for data collection rather than equipment damage.
Tracing Regin's origins to a specific country is likely to spark a scandal, particularly in the wake of the NSA's PRISM campaign which has created significant controversy.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago