Crossroads Blog | Institute National Security and Counterterrorism

cyber attack, Cyber Espionage, Cyber Exploitation, Cybersecurity, GCHQ, hackers, hacking, Kaspersky, malware, NSA, regin, Symantec

The Five Ws of REGIN

“In the world of malware threats, only a few rare examples can truly be considered GROUNDBREAKING and almost PEERLESS,” – Symantec.

With all the recent hype surrounding Regin, we have scoured the net and broken down the five W’s of Regin below:

WHO:

The highly complex and sophisticated makeup of Regin, as well as its extensive espionage capabilities, suggests that it was developed by a nation-state, the Guardian reports. Although attribution in the cyber realm is difficult, speculation as to the source of the Regin malware point to the United States’ National Security Agency (“NSA”) and the United Kingdom’s Government Communications Headquarters (“GCHQ”), Wired reported. Sources cite to circumstantial evidence to link both the NSA and GCHQ to Regin. First, reports suggest that the Regin malware is eerily similar to an attack that occurred in 2010 on Belgium’s Belgacom, a phone and internet service provider, which allowed the attacker to gather data on the company’s network, as well as customer information, and was attributed to GCHQ. Second, sources cite to reports leaked by Edward Snowden describing two NSA operations targeting the mobile networks of several nations and designed to gather, record and store metadata on every mobile phone call to and from these nations. Accordingly, reports have linked the NSA to Regin because of the staggering amount of victims that have been identified by Symantec as telecom networks. Third, there have been no reports identifying victims in either the U.K. or the U.S., further inciting speculation that Regin is a product of both nations, reports the Guardian.

 

WHAT:

Regin is a back door-type Trojan malware with a degree of technical competence rarely seen. It has the ability to load custom features tailored to individual targets. In fact, according to Symantec, some of Regin’s custom payloads point to a high level of specialist knowledge in particular sectors on the part of the developers. Symantec’s report also notes that Regin is capable of installing a large number of additional payloads, some highly customized for the targeted computer. Symantec listed some of Regin’s payload capabilities: steal passwords, monitor network traffic, gather information on processes and memory utilization, and retrieve deleted files. Symantec also noted some advanced payload modules designed with specific goals which have included: monitor network traffic to Microsoft Internet Information Services (IIS) web servers, collect administration traffic for mobile telephony base station controllers, and parsing mail from Exchange databases. But perhaps the most significant aspect of Regin is its ability to target GSM base stations of cellular networks. Wired reports that access to GSM base station controllers would allow manipulation of the system, including the monitoring of cellular traffic. Wired adds that this capability includes the ability to shut down a cellular network, for example during an invasion for the country or other unrest. This fear is not just conceptual, Kaspersky reports that in 2008 Regin was used to steal the usernames and passwords of system administrators of a telecom somewhere in the Middle East.

WHEN:

Symantec is aware of two distinct versions of Regin: version 1.0 appears to have been used from at least 2008 to 2011, when it was abruptly withdrawn and version 2.0 has been used from 2013 onwards. It is important to note that most of the information out there on Regin, according to Symantec, is based on an analysis of the Region 1.0 version. Security reports have only recovered 64-bit files from the version 2.0. Additionally, there may be versions prior to 1.0 and versions between 1.0 and 2.0.

 

WHERE:

According to Symantec, Regin has infected networks in ten countries spanning across ten different regions, and has been found in the networks of private companies, research institutes, government agencies, organizations, and even academics. Kaspersky also identified financial institutions and multinational political bodies as victims. It is important to note that 28% of victims were identified as telecoms networks which still rely on communications protocols that have little to no security available for the user, according to Kaspersky.

Symantec found that Russia and Saudi Arabia have been affected the most where 28% and 24% of victims are located respectively. Additionally, nine percent of victims were found to reside in Ireland and Mexico, Symantec reported. The report goes on to say that Pakistan, Austria, Belgium, Iran, Afghanistan and India each have five percent of the victims. In addition to the countries identified by Symantec, Kaspersky identified victims in Algeria, Brazil, Germany, Indonesia, Malaysia, Syria, Fiji and Kiribati. It is highly unusual that victims were found in Fiji and Kiribati considering that they are both small island nations where such advanced malware is rarely found, according to Kaspersky.

 

WHY:

Regin’s main purpose is intelligence gathering and it has been implicated in data collection operations against government organizations, infrastructure operators, businesses, academics, and private individuals. According to Symantec, Regin is different to what are commonly referred to as “traditional” advanced persistent threats (APTs), both in its techniques and ultimate purposes. APTs typically seek specific information, usually intellectual property. Regin, on the other hand, is used for the collection of data and continuous monitoring of targeted organizations or individuals.

 

For more information, including the “How” of Regin, read the full reports here: Symantec and Kaspersky. [PDFs of Full Reports are available on websites linked].

-Co-written by Anna Maria Castillo

 

Leave a Reply

Bitnami