Kaspersky warns of Regin, a complete espionage platform
By Digital News Asia November 27, 2014
- Targets telcos, governments, financial institutions, research organisations, etc.
- Victims found in at least 14 countries including Indonesia and Malaysia
KASPERSKY Lab’s Global Research and Analysis Team has published research on Regin, which it described as the first cyber-attack platform known to penetrate and monitor GSM networks in addition to other ‘standard’ spying tasks.
The attackers behind this platform have compromised computer networks in at least 14 countries around the world, including Malaysia and Indonesia, the company said in a statement.
In a report, Mashable said that according to several security researchers, “this is the sophisticated work of hackers who dabble as government agents,” adding that all signed pointed to the US National Security Agency or the UK-based Government Communications Headquarters.
Meanwhile, Kaspersky Lab said the main victims of this actor have been telecom operators, governments, financial institutions, research organisations, multinational political bodies, and individuals involved in advanced mathematical/ cryptographical research.
Victims of this actor have been found in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria and Russia.
The Regin platform consists of multiple malicious tools capable of compromising the entire network of an attacked organization, Kaspersky Lab said.
It uses an incredibly complex communication method between infected networks and command and control servers, allowing remote control and data transmission by stealth.
One particular Regin module is capable of monitoring GSM base station controllers, collecting data about GSM cells and the network infrastructure.
Over the course of a single month in April 2008 the attackers collected administrative credentials that would allow them to manipulate a GSM network in a Middle Eastern country, the company said, adding that some of the earliest samples of Regin appear to have been created as early as 2003.
Not just malware but an entire platform
Kaspersky Lab experts first became aware of Regin malware, which seemed to belong to a sophisticated espionage campaign, in 2012.
For almost three subsequent years, Kaspersky Lab said its experts tracked this malware all over the world. From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context.
However, Kaspersky Lab experts were able to obtain samples involved in several real-world attacks, including those against governmental institutions and telecom operators, and this provided enough information to research more deeply into this threat.
That in-depth study found that Regin is not just a single malicious program, but a platform – a software package, consisting of multiple modules, capable of infecting the entire networks of targeted organisations to seize full remote control at all possible levels.
Regin is aimed at gathering confidential data from attacked networks and performing several other types of attacks.
The actor behind the Regin platform has a well-developed method to control the infected networks. Kaspersky Lab experts observed several compromised organisations in one country, but only one of them was programmed to communicate with the command and control server located in another country.
However all the Regin victims in the region were joined together in a peer-to-peer VPN-like (virtual private network) network and able to communicate with each other.
Thus, attackers turned compromised organisations in one vast unified victim and were able to send commands and steal the information via a single entry point.
According to Kaspersky Lab’s research this structure allowed the actor to operate silently for years without raising suspicions.
The most original and interesting feature of the Regin platform, though, is its ability to attack GSM networks.
According to an activity log on a GSM Base Station Controller obtained by Kaspersky Lab researchers during the investigation, attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator.
This means that they could have had access to information about which calls are processed by a particular cell, redirect these calls to other cells, activate neighbour cells, and perform other offensive activities.
At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations, the company said.
“The ability to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations,” said Costin Raiu (pic), director of the Global Research and Analysis Team at Kaspersky Lab.
“In today’s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end-user.
“Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, other parties can hijack this ability and abuse it to launch different attacks against mobile users,” he added.
Mobile network operators the next frontier for hackers
Mobile matters and cyber espionage
Kaspersky Lab uncovers ‘The Mask,’ advanced global cyber-espionage ops
Censorship 2.0: Shadowy forces controlling online conversations
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.