The biggest security story this week centers on Symantec’s detailed analysis of Regin, an advanced piece of malware traced back to as early as 2008. Much like last year’s disclosures about extensive NSA surveillance—where the existence of such programs was suspected but the scale was not fully understood—Regin reveals a long-running, stealthy threat used for targeted espionage.
One notable case in the Middle East involved victims forming a large peer-to-peer network
Symantec’s report suggests Regin was likely developed for government-grade surveillance. The malware has been used in high-profile intrusions, including attacks on Belgian carrier Belgacom and the systems of cryptographer Jean-Jacques Quisquater—incidents that have been publicly associated with the NSA and Britain’s GCHQ. An intrusion displaying Regin-like behavior was also used against the European Commission in 2011, although the exact origin of that attack remains unconfirmed.
“Regin’s developers put considerable effort into making it highly inconspicuous,” Symantec states. “Its low-key operation means it can potentially be used in espionage campaigns lasting several years. Even when detected, its activities can be very difficult to determine.”
Kaspersky Lab identifies the following categories as likely targets for Regin:
- Telecommunications operators
- Government agencies
- Multinational political organizations
- Financial institutions
- Research centers
- Individuals involved in advanced mathematics or cryptographic research
Further analysis by Kaspersky showed Regin can compromise GSM base stations used by cellular providers. A GSM base station allocates radio resources for mobile calls and handles handovers between neighboring sites—functions that make it a valuable target for surveillance and interception. By accessing base-station systems, attackers could manipulate call handling and monitoring mechanisms.
Kaspersky recovered logs from a compromised base station and decoded several commands used by the malware. These commands reveal capabilities for querying and manipulating network elements and settings:
- rxmop – check software version and type
- rxmsp – list current call forwarding settings for a mobile station
- rlcrp – list call forwarding settings for the Base Station Controller
- rxble – enable or unblock call forwarding
- rxtcp – display the Transceiver Group for a specific cell
- allip – show external alarm status
- dtstp – display Digital Path (DIP) settings used to supervise connected PCM lines
- rlstc – activate cells in the GSM network
- rlstp – deactivate cells in the GSM network
- rlmfc – add frequencies to the broadcast control channel allocation list
- rlnri – add a neighboring cell
- rrtpp – show radio transmission transcoder pool details
Regin’s primary goals appear to be intelligence collection and establishing footholds for further attacks. In many cases the malware did not disrupt GSM network operation; instead it harvested sensitive data such as emails and documents from infected machines. That low-profile approach helps maintain long-term access while avoiding detection.
An intrusion with Regin-like characteristics was also used against the European Commission in 2011, though attribution remains unclear.
One particularly striking case in the Middle East—described by Kaspersky as “mind-blowing”—involved multiple compromised organizations that, together, formed a large peer-to-peer routing network. In that scenario, the attack linked networks belonging to a presidential office, a research center, an educational institution, and a bank, enabling traffic to be routed through trusted internal destinations to hide malicious activity. For example, communications from a bank could be routed through the president’s office to reduce suspicion.
To date, Regin has been detected in 14 countries affecting 27 distinct networks (where each “victim” represents an entire network composed of many individual computers). The most recent sample identified came from spring 2014, indicating the malware remained active then and may have been further developed or updated since.
Do you think governments should use offensive malware for intelligence operations? Share your thoughts in the comments.