{"id":4327,"date":"2014-11-25T10:00:26","date_gmt":"2014-11-25T15:00:26","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4327"},"modified":"2020-02-26T18:59:20","modified_gmt":"2020-02-26T14:59:20","slug":"regin-apt-most-sophisticated","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/regin-apt-most-sophisticated\/4327\/","title":{"rendered":"Regin APT Attacks Among the Most Sophisticated Ever Analyzed"},"content":{"rendered":"<p>Nearly every organization involved in the business of tracking advanced persistent threat campaigns is talking about a new highly sophisticated attack platform called \u201cRegin\u201d (pronounced: re\u026a*\u0261\u0259n \u2013 like the former U.S. president). The general consensus is that Regin is the work of a well-funded nation-state, though it\u2019s impossible to point a finger at any particular country and blame them with certainty.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/11\/05111745\/Regin-APT-Attacks-Among-the-Most-Sophisticated-Ever-Analyzed-1024x767-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6853 size-large\" src=\"https:\/\/me-en.kaspersky.com\/blog\/files\/2014\/11\/Regin-APT-Attacks-Among-the-Most-Sophisticated-Ever-Analyzed-1024x767-1-1024x767.png\" alt=\"Regin-APT-Attacks-Among-the-Most-Sophisticated-Ever-Analyzed\" width=\"1024\" height=\"767\"><\/a><\/p>\n<p>It would appear as though a number of individuals and organizations had been keeping dossiers on Regin, because as soon as Symantec issued their first version of the report over the weekend, other reports began streaming out, adding to the initial findings. More than one company and more than one researcher \u2013 <a href=\"https:\/\/threatpost.com\/costin-raiu-on-the-regin-apt-malware\/109548\" target=\"_blank\" rel=\"noopener nofollow\">including Kaspersky Lab\u2019s Global Research and Analysis Team<\/a> \u2013 have called this the most sophisticated attack campaign ever analyzed.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Highly-complex malware has secretly spied on computers for years, say researchers <a href=\"http:\/\/t.co\/ip7hkaDBEg\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/ip7hkaDBEg<\/a> <a href=\"http:\/\/t.co\/TnHhxZS0C4\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/TnHhxZS0C4<\/a><\/p>\n<p>\u2014 The Verge (@verge) <a href=\"https:\/\/twitter.com\/verge\/status\/536627903623360512?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 23, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to <a href=\"https:\/\/securelist.com\/blog\/research\/67741\/regin-nation-state-ownage-of-gsm-networks\/\" target=\"_blank\" rel=\"noopener\">Kaspersky Lab\u2019s findings<\/a>, the Regin APT campaign targets telecom operators, government institutions, multi-national political bodies, financial and research institutions and individuals involved in advanced mathematics and cryptography. The attackers seem to be primarily interested in gathering intelligence and facilitating other types of attacks. While much of the intelligence gathered includes spying on emails and documents, the attack group also relentlessly targets telecommunication companies, which is normal, and at least one GSM provider, which is not so normal.<\/p>\n<p>GSM stands for Global System for Mobile Communications. It\u2019s a standard for cellular communications between mobile phones. The best way to think of GSM is as the second generation (2G) of mobile communication technologies\u2014the predecessor of 3G and 4G networks. However, <a href=\"http:\/\/www.4gamericas.org\/index.cfm?fuseaction=page&amp;sectionid=242\" target=\"_blank\" rel=\"noopener nofollow\">according to reports<\/a>, GSM is the default standard for mobile networks used by the majority of telecoms. It\u2019s available in more than 219 countries and territories and it demands a 90 percent share of the mobile telecom market.<\/p>\n<div class=\"pullquote\">They could have had access to information about which calls are processed by a particular cell, then redirected these calls to other cells, activated neighbor cells and performed other offensive activities.<\/div>\n<p>\u201cThe ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations,\u201d Kaspersky Lab\u2019s Global Research and Analysis Team reported yesterday. \u201cIn today\u2019s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them in order to launch other types of attacks against mobile users.\u201d<\/p>\n<p>The attackers were able to steal credentials from an internal GSM Base Station Controller belonging to a large telecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. My Threatpost colleague, <a href=\"https:\/\/threatpost.com\/regin-cyberespionage-platform-also-spies-on-gsm-networks\/109539\" target=\"_blank\" rel=\"noopener nofollow\">Mike Mimoso, noted<\/a> that Base Station Controllers manage calls as they move along a mobile network, allocating resources and mobile data transfers.<\/p>\n<p>\u201cThis means that they could have had access to information about which calls are processed by a particular cell, redirected these calls to other cells, activated neighbor cells and performed other offensive activities,\u201d Kaspersky Lab researchers wrote. \u201cAt the present time, the attackers behind Regin are the only ones known to have been capable of preforming such operations.\u201d<\/p>\n<p>In other words, the Regin actors can not only passively monitor cellular communications metadata, but they can also actively reroute cellular calls from one number to another.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Regin #APT targets the usual victims plus a famed cryptographer and the GSM standard, according to @Kaspersky<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FZzN9&amp;text=%23Regin+%23APT+targets+the+usual+victims+plus+a+famed+cryptographer+and+the+GSM+standard%2C+according+to+%40Kaspersky\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Another bizarre and curious aspect of the Regin attack group is the story of a famed Belgian cryptographer and mathematician named Jean-Jacques Quisquater. In February of this year, reports began emerging that Quisquater\u2019s personal computer had been hacked six months earlier. While it isn\u2019t unusual for prominent academics to be targeted in cyberattacks, the case of Quisquater was slightly different because of some similarities between the attack that targeted his machine and a separate attack that targeted the Belgian telecom, Belgacom.<\/p>\n<p>The latter incident was the subject of <a href=\"https:\/\/threatpost.com\/belgian-telco-belgacom-compromised\/102299\" target=\"_blank\" rel=\"noopener nofollow\">an Edward Snowden revelation<\/a> claiming that the NSA and its British counterpart, GCHQ, had orchestrated the attack. Of course, many media outlets have alleged that these similarities do suggest that U.S. and British intelligence were behind both attacks. While neither Kaspersky Daily nor Kaspersky Lab will cosign those allegations, it was reported by a number of news outlets at the time and is worth mentioning.<\/p>\n<p>In addition to the story of Quisquater and the fact that it targets GSMs, the Regin attack platform also boasts incredible technical sophistication, particularly in its pervasiveness. The attackers established backdoors with their command infrastructure to ensure inconspicuous persistence on the networks of their victims. All of the campaign\u2019s communication traffic was encrypted to make sure attacks weren\u2019t observed, both between the attackers and their control servers and between the victim\u2019s machines and the attack infrastructure.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Absolutely #1 coverage of <a href=\"https:\/\/twitter.com\/hashtag\/Regin?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Regin<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#malware<\/a> espionage campaign, must read to get the whole picture: <a href=\"http:\/\/t.co\/M1pEhnxCRa\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/M1pEhnxCRa<\/a> by <a href=\"https:\/\/twitter.com\/KimZetter?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@KimZetter<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/536995229501370368?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 24, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Most of Regin\u2019s communications occur between infected machines \u2013 dubbed \u2018communication drones\u2019 \u2013 on the victim\u2019s network. The reason for this is twofold: it allows for deep access while also limiting the amount of data exiting the network en route to a command and control server. When you see data leaving your network and traveling to an unknown network, that raises alarms. So this in-network, peer-to-peer communication makes it more difficult for network monitors to realize an attack is occurring.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/11\/05102815\/Regin-graph-one-1024x640.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6854\" src=\"https:\/\/me-en.kaspersky.com\/blog\/files\/2014\/11\/Regin-graph-one-1024x640-1024x640.png\" alt=\"Regin-graph-one\" width=\"600\" height=\"375\"><\/a><\/p>\n<p>In one unnamed Middle Eastern country, every single victimized network identified by Kaspersky lab, communicates with all of the other networks in a sort of peer-to-peer structure. The network included the president\u2019s office, a research center, an educational institution\u2019s network and a bank. One of the victims contains a translation drone that is able to forward the stolen data packets outside of the country, to the command and control server located in India.<\/p>\n<p>\u201cThis represents a rather interesting command-and-control mechanism, which is guaranteed to raise very few suspicions,\u201d researchers wrote. \u201cFor instance, if all commands to the president\u2019s office are sent through the bank\u2019s network, then all of the malicious traffic that is visible to the president\u2019s office\u2019s sysadmins will only be with the bank, in the same country.\u201d<\/p>\n<p>Regin is deployed in five stages, giving the attackers deep access to a victimized network as each stage loads subsequent parts of the attack. Modules in the first stage contain the only executable stored on the victim\u2019s computer, and they\u2019re all signed with phony Microsoft and Broadcom digital certificates in order to seem legitimate.<\/p>\n<p>Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin. Kaspersky Lab has also released <a href=\"https:\/\/securelist.com\/files\/2014\/11\/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf\" target=\"_blank\" rel=\"noopener\">a full-length technical paper<\/a> if you would like to dig a bit deeper.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new APT campaign called Regin targets the usual victims plus a prestigious cryptographer and the GSM standard on which most cellular communications occur.<\/p>\n","protected":false},"author":42,"featured_media":4328,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[477,575,352,36,850,700],"class_list":{"0":"post-4327","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-apt","10":"tag-great","11":"tag-kaspersky-lab","12":"tag-malware-2","13":"tag-regin","14":"tag-research"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/regin-apt-most-sophisticated\/4327\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/regin-apt-most-sophisticated\/4402\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/regin-apt-most-sophisticated\/4867\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/regin-apt-most-sophisticated\/6206\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/regin-apt-most-sophisticated\/6852\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/regin-apt-most-sophisticated\/5603\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/regin-apt-most-sophisticated\/6206\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/regin-apt-most-sophisticated\/6852\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/regin-apt-most-sophisticated\/6852\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4327","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4327"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4327\/revisions"}],"predecessor-version":[{"id":15952,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4327\/revisions\/15952"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/4328"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}