Regin Spyware Was Operational For At Least 6 Years: Who Created It and Why?


No one knows for sure who created Regin, the highly sophisticated malware that security researchers believe was built to spy on government entities, telecommunications networks, private companies and individual users.

Security researchers at Symantec published the first report on Regin, a very complex and powerful malware architecture that has been conducting mass surveillance all over the world possibly since 2008.

The first instances of Regin became known in 2011, when the European Commission discovered that its numerous systems as well as the European Council's have been attacked by a zero-day exploit. Two years later, another advanced attack was announced by partly-state owned Belgacom mobile network of Belgium, where the hackers stole system administrators' passwords to gain access to the cellular network's routers. Soon after, prominent Belgian cryptographer Jean-Jacques Quisquater became the third victim of attacks.

Now, all three attacks are said to be linked to Regin. While no one can tell who wrote Regin and exactly how it launches an attack, Symantec has mapped where the attacks are taking place. Russia, Saudi Arabia, Mexico and Ireland appear to have the most number of infections, while private individuals and small businesses appear to be the bulk of victims. However, some additional research by Kaspersky Labs shows Regin is also capable of targeting GSM base stations of cellular networks.

This is exactly what happened in a 2008 hijacking of a certain telecommunications company in the Middle East, where attackers used Regin to steal the credentials of the network's system administrators. Kaspersky would not mention which country the attack took place in, but Iran, Syria and Pakistan are the only three Middle Eastern countries found to be infected with Regin. Afghanistan, which belongs to South Asia and is also often mistaken to be part of the Middle East, has also been infected.

News reports about the Belgacom and Quisquater attacks have pointed to the National Security Agency (NSA) and the Government Communications Headquarters (GCHQ) of Britain as the culprit.

Also, documents revealed by former NSA contractor Edward Snowden unveiled two U.S. government operations codenamed MYSTIC and SOMALGET, which targeted mobile networks in several countries to collect information about calls made over these networks and intercept calls for full recording. Telecoms companies in Mexico, Kenya and the Philippines were said to have been hijacked by attackers harvesting metadata about their calls, while the Bahamas and Afghanistan had hackers snooping into private calls.

Additional documents reveal the NSA was also planning to target the European Commission. The documents were dated 2010, a year before the commission was attacked. Security firms, however, have yet to establish any direct connection between Regin and its author.

To appreciate the severity of concern raised by security firms, one must understand how it works, although security researchers admit there is still much left to discover about the malware. It is not just one piece of malicious software that infects a system. Regin is an entire "complex architecture" of malware with multiple various elements that need to be pieced together, making it difficult for researchers to fully figure out how it works unless they have all the elements together.

"Regin is the cyber equivalent of a specialist covert reconnaissance team," says Pedro Bustamante, director of special projects at Malwarebytes. "The analysis shows it to be highly adaptable, changing its method of attack depending on the target."

Symantec describes Regin in a blog post as a multi-stage, modular threat. Researchers have not yet uncovered exactly how the malware infiltrates a system, but one instance shows attackers have launched Regin using a zero-day exploit of a Yahoo Messenger vulnerability. Still, experts believe this is not the only way Regin can enter a machine. The Belgacom attack, for example, used a rogue server that redirected system administrators to a website that infected their systems with the malware.

Once it infiltrates a system, Regin uncovers itself in five stages, with the first stage, a backdoor-type Trojan, being the only unencrypted stage. Execution of the Trojan opens up what Symantec calls a domino chain of decryptions, allowing the first three stages to configure the architecture and the last two to execute the payloads, which vary according to who is being attacked.

Regin can do a lot of things, depending on what is needed to be done. It can steal passwords, read emails, capture screenshots, take over the mouse, monitor network traffic and retrieve deleted files. Kaspersky's head of global research and analysis team Costin Raiu says this is all made possible by the conductor, "the brain of the whole platform."

"It's like a Cuisinart," says Kevin Haley, director of Symantec's Security Response. "There's the base then you can add on all sorts of attachments that do different things, from grinding meat for sausage to making pasta."

Regin also has sophisticated stealth features to keep it under the radar. The malware tucks away its data in Extended Attributes, which stores away metadata about files, including data about when and where a certain suspicious file has been downloaded. Because Extended Attribute has a size limit on the files it stores, Regin divides its data into separate chunks and gathers them all as one when needed.

It even uses sophisticated forms of communication with the attacker by communicating only with other machines in the same network using a single node that will then communicate with its command server. This way, it limits the amount of traffic leaving the network, warding off suspicions that something malicious is going on.

The complexity of Regin is what leads security researchers to believe that this is not just the work of a group of hackers looking to make a buck. They believe Regin took "months, if not years" to develop and the operation of a highly advanced malware requires massive resources to maintain. Unfortunately, they have yet to find clues about which nation state is behind Regin. Haley notes that the code was written in English, but points out that "many nations use English." However, as news of the malware spreads, it is likely that more reports about previous attacks will surface to provide researchers more information that will help them find who the culprit is.

ⓒ 2018 All rights reserved. Do not reproduce without permission.
Real Time Analytics