Another highly advanced and highly stealthy Advanced Persistent Threat (or APT) has come to light over the past few weeks. It has been around at least since 2008, and it may have been active for several years before that. Its stealthiness and complexity have delayed detection and defensive analysis.
Symantec and Kaspersky Labs have released detailed reports on what most are calling Regin. They took different approaches, with Symantec researching and reporting the technical details and Kaspersky analyzing its apparent objectives.
Both of them report that this malware represents significant threat advances, and it’s not yet clear how it gets into systems in the first place.
What is clear is that Regin is very sophisticated, one of the most advanced attack systems analyzed by either of those top-tier cybersecurity providers, and it is likely to be a nation-state project used to support intelligence gathering. It seems to have some similarities to Duqu, Stuxnet, and others in that set of related malware systems.
Regin has a complex five-stage architecture, it is a system and not a standalone package. It isn’t a single threat, it is a platform that can be customized for use against a specific victim. Regin can deploy customized combinations of keylogging, file and message content extractors, network command and control systems, and whatever else the attacker finds useful to exploit a specific victim. This malware is not the typical monolithic block, this is malware in an architecture like that used for sophisticated software systems.
Other than the stage one loader, which is highly polymorphic to frustrate detection, all the other stages are encrypted and hidden either outside the file system or within the registry.
As for the analysis of the apparent targets and speculation as to the motivation and source, roughly half the infected systems were in either Russia or Saudi Arabia — 28% and 24%, respectively. The others are spread around the world, with the obvious exception of the U.S., U.K., and a few other western European countries that seem to remain free of infection.
Regin has been implicated in a high-level intrusion into Belgacom, a Belgian telecommunications provider, in late 2013, and the European Commission and European Council in 2011. Documents released by Ed Snowden attribute the Belgacom exploit to GCHQ, leading some media outlets to immediately conclude that they’re the source. However, Symantec and Kaspersky haven’t announced any conclusions about attribution. Kaspersky did report that the development timestamps are almost entirely limited to 1200-2100 UTC, typical working hours on the US east coast, but say “As this information could be easily altered by the developers, it’s up to the reader to attempt to interpret this: as an intentional false flag or a non-critical indicator left by the developers.”
Kaspersky’s report describes two impressive exploits made by Regin. The first was the monitoring and manipulation of a GSM network in an unnamed Middle Eastern country. The stage 4 “dispatcher” of Regin deploys and controls the modules, and one of the available modules is customized for exploiting GSM systems.
Regin is designed to operate in a semi-autonomous fashion. Multiple infected systems within one organization or nation can operate under the control of just one of those systems. The “inside” controller is the only one that communicates with an external command and control (or C&C) server, greatly reducing the probability of detection. The communication between the Regin-infected nodes stays within the organization, government, or corporation.
This leads to the second very impressive Regin exploit reported by Kaspersky. In an unnamed Middle Eastern country (it’s uncertain if this is the same one with the completely subverted GSM network), Regin infected systems at an educational institution as well as the office of the national president, a national research institute, and a bank.
The exploited machines communicated with each other in a peer-to-peer network. Traffic between the national president’s offices, a research institute, and a major bank certainly seem trustworthy, even critical to the operation of national agencies. And communication between any or all of them and a major educational institution in the country seem like the very sort of synergy that national leaders want.
In this case one of the the infected machines at the educational institution was the gateway to the C&C server. But again, you would hope that your major universities had and used international connections!
I will be teaching Learning Tree’s System and Network Security Introduction course later this month and again next month. We will certainly have something to discuss in those courses!