An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.
It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.
As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.
Regin also uses a modular approach, allowing it to load custom features tailored to the target. This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask), while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats.
Timeline and target profile
Regin infections have been observed in a variety of organizations between 2008 and 2011, after which it was abruptly withdrawn. A new version of the malware resurfaced from 2013 onwards. Targets include private companies, government entities and research institutes. Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure.
The victims of Regin fall into the following categories (combined victims via Symantec Kaspersky):
- Telecom operators
- Government institutions
- Multi-national political bodies
- Financial institutions
- Research institutions
- Energy Institutions
- Hospitality Institutions
- Airline Institutions
- Private Individuals & Small Businesses
- Individuals involved in advanced mathematical/cryptographical research
Infections are also geographically diverse, having been identified in 18 different countries (combined countries via Symantec & Kaspersky):
- Saudi Arabia
Infection vector and payloads
The infection vector varies among targets and no reproducible vector had been found at the time of writing. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application. On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.
Regin uses a modular approach, giving flexibility to the threat operators as they can load custom features tailored to individual targets when required. Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors, further evidence of the level of resources available to Regin’s authors.
There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.
More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.
Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing. Symantec was only able to analyze the payloads after it decrypted sample files.
It has several “stealth” features. These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.
Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.
Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.
Regin was found on infected internal computer systems and email servers at Belgacom, a partly state-owned Belgian phone and internet provider, following reports last year that the company was targeted in a top-secret surveillance operation carried out by British spy agency Government Communications Headquarters, industry sources told The Intercept.
Ronald Prins, a security expert whose company Fox IT was hired to remove the malware from Belgacom’s networks, told The Intercept that it was “the most sophisticated malware” he had ever studied.
“Having analyzed this malware and looked at the [previously published] Snowden documents,” Prins said, “I’m convinced Regin is used by British and American intelligence services.”
The malware, which steals data from infected systems and disguises itself as legitimate Microsoft software, has also been identified on the same European Union computer systems that were targeted for surveillance by the National Security Agency in the months before the first discovery of Regin.
Industry sources familiar with the European Parliament intrusion told The Intercept that such attacks were conducted through the use of Regin and provided samples of its code. This discovery, the sources said, may have been what brought Regin to the wider attention of security vendors.
In Nordic mythology, the name Regin is associated with a violent dwarf who is corrupted by greed. It is unclear how the Regin malware first got its name, but the name appeared for the first time on the VirusTotal website on March 9th 2011.
Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned (PDF) at a recent Hack.lu conference in Luxembourg.
In the coming weeks, The Intercept will publish more details about Regin and the infiltration of Belgacom as part of an investigation in partnership with Belgian and Dutch newspapers De Standaard and NRC Handelsblad.
The Intercept has obtained samples of the malware from sources in the security community and is making it available for public download in an effort to encourage further research and analysis. (To download the malware, click here (ZIP). The file is encrypted; to access it on your machine use the password “infected.”)
Another module found, which is a plugin type 55001.0 references another codename, which is U_STARBUCKS:
Read a brief technical analysis of Regin conducted by The Intercept’s computer security staff here . Regin is an extremely complex, multi-faceted piece of work and this is by no means a definitive analysis.
Perhaps the most significant aspect of Regin is its ability to target GSM base stations of cellular networks. The malicious arsenal includes a payload that Kaspersky says was used in 2008 to steal the usernames and passwords of system administrators of a telecom somewhere in the Middle East. Armed with these credentials, the attackers would have been able to access GSM base station controllers—the part of a cellular network that controls transceiver stations—to manipulate the systems or even install malicious code to monitor cellular traffic. They could also conceivably have shut down the cellular network—for example, during an invasion of the country or other unrest.
Kaspersky won’t identify the telecom or country where this GSM attack hack occurred, but suggests it’s either Afghanistan, Iran, Syria or Pakistan, as out of Kaspersky’s list of countries with Regin infections, only these four are in the region popularly considered the Middle East. Afghanistan stands out among the four, having been the only one cited in recent news stories about government hacking of GSM networks.
The most elaborate and extensive infection Kaspersky saw that used this technique occurred in a Middle Eastern country the researchers decline to name. They call the infection “mind-blowing” and say in their report that it consisted of an elaborate web of networks the attackers infected and then linked together. These include networks for the office of the president of the country, a research center, an educational institute that from its name appears to be a mathematics institute, and a bank. In this case, instead of having each of the infected networks communicate with the attackers’s command server individually, the attackers set up an elaborate covert communication web between them so that commands and information passed between them as if through a peer-to-peer network. All of the infected networks then interfaced with one system at the educational institute, which served as a hub for communicating with the attackers.
Kaspersky refers to the educational institute as the “Magnet of Threats” because they found all sorts of other advanced threats infesting its network—including the well-known Mask malware and Turla—all co-existing peacefully with Regin.
But on par with this attack was one that occurred in another Middle East country against the GSM network of a large, unidentified telecom. The Kaspersky researchers say they found what appears to be an activity log the attackers used to collect commands and login credentials for one of the telecom’s GSM base station controllers. The log, about 70 KB in size, contains hundreds of commands sent to the base station controller between April 25 and May 27 of 2008. It’s unclear how many of the commands were sent by telecom administrators or by the attackers themselves in an attempt to control base stations.
The commands, which Kaspersky identified as Ericsson OSS MML commands, are used for checking the software version on a base station controller, retrieving a list of the call forwarding settings for the mobile station, enabling call forwarding, listing the transceiver route for a particular cell tower, activating and deactivating cell towers in the GSM network, and adding frequencies to the active list of frequencies used by the network. The log shows commands going to 136 different GSM cell sites—cell sites with names like prn021a, gzn010a, wdk004, and kbl027a. In addition to commands, the log also shows usernames and passwords for the telecom’s engineer accounts.
Both of these infections—targeting the GSM network and the presidential network—appear to be ongoing. As news of the Regin attack spreads and more security firms add detection for it to their tools, the number of victims uncovered will no doubt grow.
Until now no one has publicly disclosed details of this cyberespionage campaign. Why?
Symantec’s Thakur said that they had been investigating Regin since last year, but only felt “comfortable” publishing details of it now.
Raiu, the researcher from Kaspersky, said they had been tracking Regin for “several years” but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.
For Prins, the reason is completely different.
“We didn’t want to interfere with NSA/GCHQ operations,” he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to “global security.”
Mikko Hypponen, a renowned security expert and chief research officer for F-Secure, said that while they had detected some parts of Regin since 2009, they were not at liberty to discuss their discovery due to confidentiality agreements with customers who asked them not to publish details of hacks they suffered.
Both Symantec and Kaspersky denied having ever been asked by anyone, including governments, to withhold information related to Regin