Regin it seems, has been around for significantly longer than the five years Symantec alluded to and could have been around for the last eleven years – some of the date stamps on the malware go back to 2003. It’s also a threat that is so sophisticated that it’s got the security companies baffled.
According to a statement from security business Kaspersky Labs, Regin works like a platform as a service (PaaS) and includes multiple tools that specialise in attacking different end-points, enabling the unknown attackers to create networks, that can spy not just on one business but on an entire country, with one particular Regin module capable of monitoring mobile GSM base station controllers, collecting data about GSM cells and the network infrastructure.
Kaspersky began to investigate Regin as far back as spring 2012 and identified it then as malware, which “seemed to belong to a sophisticated espionage campaign.” For the next two plus years Kasperksy and probably every other security labs – thanks for the heads up – tracked the malware and took samples of infected devices. However because of the platform nature and the techniques used in Regin (it’s multi-tier and encrypted) they were unable to discover where the infection was hidden until now.
Kaspersky now believe that Regin is not just a single malicious program, but “a platform – a software package, consisting of multiple modules, capable of infecting the entire networks of targeted organisations to seize full remote control at all possible levels.”
The actor behind the Regin platform has a well-developed method to control the infected networks which allows it to communicate in a peer to peer VPN-like network, which turns compromised organisations in to one vast unified victim – see illustration above – and this structure has allowed the actor to operate silently for years without raising suspicions.
The most original and interesting feature of the Regin platform, though, is its ability to attack GSM networks. According to an activity log on a GSM Base Station Controller obtained by Kaspersky Lab researchers during the investigation, attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator.
Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab said. “In today’s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, other parties can hijack this ability and abuse it to launch different attacks against mobile users.”
For more information see the Kaspersky labs white paper The Regin Platform Nation-State Ownership of GSM Networks on a Securelist.com blog post.