Regin – How A Presidential Office And An Entire GSM Network Were Compromised And Infiltrated


Just two days back, researchers over at Symantec discovered a highly sophisticated computer bug dubbed as 'Regin' being under operation for over six years. The bug is said to be highly complex in nature and has been used to target a number of countries worldwide and siphon data.

Opening The Black Box Of The Regin Malicious System

In fact, the truth surrounding Regin is so vague at the moment that researchers are claiming that several samples of the bug have timestamps dating back to 2003. Regin is being said to be dual purpose in nature. One of the bug's purposes is to gather intelligence, as we informed you in our previous post about the matter. The second is to facilitate other attacks on systems and networks the bug has managed to penetrate.

Well, thanks to folks over at Securelist and Symantec we now know how this master bug functions and has manged to avoid detection for so long. But before we get into that, it would be wise to take a look at the amount of different systems that Regin has managed to penetrate and gather information from.

Rather than have specific institutions or government agencies listed on its list of targets, Regin's target list has categories of networks and systems the bug has managed to reside on. These include, but should not be limited to:

  • Telecom operators
  • Government institutions
  • Multi-national political bodies
  • Financial institutions
  • Research institutions
  • Individuals involved in advanced mathematical and cryptographical research.

Two entries are of particular interest in the list above, which are co-incidentally the first and the last. Telecom operators have been penetrated by Regin for a purpose much more disturbing than simple intelligence gathering. The bug has been used to launch sophisticated cyber attacks from compromised telecom operators as well.

As far as the last entry goes, a well known Belgian cryptographer Jean Jacques Quisquater reported this February that his system had been compromised via a sophisticated cyber attack. Samples from his computer have indeed confirmed that the malicious entity infecting it was Regin indeed.

So how does Regin work? As it should be clear by now, the bug's working is just as complex and complicated in nature as its actions. The severity of its capabilities merits a post of its own. But before that, lets take a look at how far and wide Regin's impact has been. And later, we'll also take a look at what makes Regin tick.

The Victims.

As you can see from the info graphic above, Regin's victims are spread all over the globe. The date above is a result of a collection of statistics for about two years and is aided by the fact that some of the malware's traces are left behind in the compromised system, even after the entity has been removed.

Country's on Regin's hit list include the likes of Germany, Brazil, Saudi Arabia, India and Pakistan. The list of countries identified so far contains 14 nations and the total number of the bug's victim count is 27. The definition of victim is much diverse than a simple country, and includes, as elaborated above entities such as corporations, GSM networks and more.

The Who?

So far, precise data about those behind Regin isn't available. Considering the sophistication involved behind the bug's creation and the cost this amount of complexity would likely incur, it is highly likely that a nation state is either directly or indirectly behind the bug's development and operation. Data has been collected in the form of timestamps related to Regin's development from its samples and is shown in the chart above. But keep in mind that this data can easily be manipulated by developers so no conclusive conclusions can be generated from it.

Some fingers are also pointing towards a highly advanced attack group named Regin which has been targeting high value establishments around the world for more than a decade. The operation still appears to be active with its primary tool of attack: the malware, being upgraded to a 64-bit infection. But as mentioned above, the involvement of a nation state due to the technical complexity of the bug and the costs associated with its development can not be ruled out.

 And Finally . . The How?

The name Regin is a reversed form of 'In Reg' which describes the bug's medium of operation through storing its modules in the compromised system's registry. Before starting on what makes Regin work, first we take a look at how does the bug initially gain access to compromised systems and networks.

So far, there is no concrete information available on what method Regin uses to gain access to systems. Several theories including Zero Day browser vulnerabilities and Man-in-the-middle attacks are being put forward with the bug's modules being designed for lateral movement and replication. An attack in 2011 suggests a zero day vulnerability used in Yahoo Messenger, while another involving Belgacom, Belgium's largest telecommunication company, featured the man-in-the-middle technique being used in which an attacker monitors and injects messages into a communication channel simultaneously.

It's also being said that Regin copies itself to remote computers on a network through Windows Administrative shares, which requires administrative privileges inside a network. This targeting of system administrators is an easy and efficient way of gaining access to entire networks.

After Regin has gained access to a system, it's highly complex nature involves a five step process through which it gains access to the system and starts its intelligence gathering. The first three stages of the process involve the bug loading itself and creating marker files which can be used identify the infected machine. A dispatcher is also created in the second and/or third step.

The dispatcher then carries out the bug's dirty work in steps three and five. This involves "providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines." - Securlist. Long story short, Regin can now recover deleted files, collect tertiary device information, give attackers backdoor access to infected systems and much more. You can catch the drift.

Oh . . . And The Country.

Regin's story won't be complete without taking a look at how hackers managed to gain access to an entire country's communication systems. In a specific Middle Eastern country, an entire network of infected victims was discovered, through which the infected devices communicate with each other and end up forming a P2P network.

This network, as shown above by folks over at Kaspersky labs includes a bank, a research institute, an educational institution and the president's office. The educational institution is of particular significance here as researchers found several other threats including Turla and Mask present on its network.

The existence of such a network gives attackers the unique option of raising very little suspicion about the nature of traffic which passes between two different nodes on the network. The attackers also simply need to run one command, which is then copied between all members on the network. To add a cherry on top, one of the victims also contains a translation drone which is capable of forwarding packets outside the country.

 . . . And A GSM Network Too.

As if forming a network of infected device's on a country's communications wasn't enough, attackers behind Regin also managed to infect a large GSM operator in an unnamed country. Operating through the network's base station controllers, the attackers have managed to enable call forwarding, deactivate and activate the cell towers in the network and add frequencies to the ones already under use by the network.

The command log for the GSM network's base station which has been discovered by the researchers covers only one month of activity. After that, the activities of the attackers behind Regin are in the dark. So that marks the end of what we know so far about Regin, and why its discovery should be a cause for major concern for anyone remotely concerned about data privacy in today's age. Bear in mind that these discoveries are only at the initial stage. There is no doubt that many more victims will surface as more information about the bug becomes available. We'll keep you updated.