The use of Regin was first revealed by NSA whistleblower Edward Snowden and later described by Russian security firm Kaspersky and the American cyber security company Symantec.
The malware, which was described by Symantec in 2014 as "a complex piece of malware whose structure displays a degree of technical competence rarely seen", has also been used by other so-called Five Eyes countries Canada, Australia and New Zealand, a Reuters report said on Friday.
The Symantec analysis of 2014 said further, "It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state."
Yandex had more than 108 million monthly users in Belarus, Kazakhstan and Turkey, Reuters reported, citing anonymous sources.
The attackers hit Yandex between October and November 2018 and were said to be looking for the ways by which Yandex authenticates user accounts, apparently in order to pose as Yandex users and access other people's messages.
The Intercept reported about Regin back in 2014, based on information from Snowden which pointed to the malware being used against Belgian telco, Belgacom. The same malware was found on computers belonging to the EU and targeted by the NSA.
The version of Regin found on the Yandex systems had a good deal of new code and Kaspersky established its identity, the Reuters report said.
Kaspersky was contacted for its reaction, but the company said it had no comment to make.
A diagram of the Regin platform. Courtesy Kaspersky
Symantec said in the report that it had also found a new version of Regin. iTWire has contacted the company for comment.
It is rare for American advanced persistent threats to be identified in this manner. About the only company which did so was Kaspersky and, after it was barred from selling products to the US public sector, it too has maintained a veil of silence.
The last time Kaspersky revealed an American spy operation was at its annual Security Analyst Summit in 2018 when it revealed details of an operation known as Slingshot.
Sometime later, Slingshot was claimed to be an operation run by the Joint Special Operations Command, a part of the Special Operations Command. Slingshot was said to be used by US military and intelligence personnel to collect information about terrorists.