First there was Stuxnet and Flame, and now there's an even more sophisticated, stealthy, and powerful cyber espionage attack called Regin that dates back as far as 2003 and has been found infecting machines in more than a dozen countries.
Symantec and Kaspersky Lab have each published their separate findings on Regin, a modular malware platform that has targeted Windows machines in telecommunications operators, governments, financial institutions, researchers, governments, small businesses, and individuals associated with cryptography research.
The attackers behind Regin most likely involve a nation-state, given the resources and investment required to design it and the persistent, long-term surveillance operations it appears to support. The code appears to be written in English, according to Symantec, which first went public with its research yesterday. Researchers say they probably have only scratched the surface of Regin, and there likely are other variants and features yet to be discovered.
Regin's targets so far have been found located in the Russian Federation -- 28% of the victims -- and Saudi Arabia, with 24% of the victims, according to Symantec. Users in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria, Pakistan, Algeria, Brazil, Fiji, Germany, Indonesia, Malaysia, Kiribati, and Syria also were found infected with the malware, Symantec and Kaspersky's research shows.
Conspicuously missing as victims of Regin are residents of the US as well as many Western European countries including the UK, but neither Symantec nor Kaspersky would confirm who might be behind Regin. F-Secure today said it does not originate from Russia or China. Meanwhile, a report by The Intercept today attributes the attack to the UK, specifically in the case of attacks on Belgian ISP and telecommunications firm Belgacom as part of the UK's Government Communications Headquarters' surveillance program, which came to light in NSA documents leaked by Edward Snowden.
"There is information and a certain level of indication that show Regin was possibly used by GCHQ in some attacks... However, these are just partially confirmed. And still, it is an interesting question if GCHQ or the UK developed these tools alone, or these attacks were part of a collaboration between countries [such as] the US, UK, and others, for what we saw in many leaked materials from Snowden," says Boldizsar Bencsath of the Laboratory of Cryptography and Systems Security at the Budapest University of Technology and Economics.
One of Regin's more powerful modules allows the malware to monitor GSM base station controllers. Kaspersky Lab found that in April 2008, the attackers behind Regin captured administrative login credentials that would let them "manipulate" a GSM network in a Middle Eastern country, the name of which the researchers would not disclose. With access to the base controllers, the attackers could redirect calls or shut down the mobile network, the researchers say.
"Regin is definitively in a category of its own. It's definitively more complex than Stuxnet and Flame when it comes to the design of the platform, functionality, or flexibility," says Costin Raiu, director of the global research and analysis team at Kaspersky Lab.
Raiu says Regin is also more compact: While a fully deployed Flame infection came in at 20 megabytes, Regin is about 8 megabytes, including its virtual file system, in size and packs the same punch as Flame, or more. "I'd say Regin is probably older than Stuxnet and Flame and more sophisticated," he says.
Victims victimizing victims
Regin includes various tools, and comes with an intricate and highly stealthy communications technique to control the infected networks that involves the victim organizations communicating via a peer-to-peer network. Kaspersky Lab spotted victims in a Middle East country doing just that: "This case was mind-blowing, so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank," according to the Kaspersky report.
The infected machines communicate via HTTP and Windows network connections as a way for the attackers to burrow deep into their target networks, bypass air gaps, and minimize traffic to the command and control server so as to remain under the radar.
In this case, one of the victims had what Kaspersky calls a "translation drone" that communicated with a C&C outside its home country, in India.
Kaspersky spotted 27 different victims, and Symantec found 1,000 infected machines from around the globe, but both companies say this only scratches the surface of the potential victims.
Regin is basically a platform with multiple modules that could wrest control of their target's network -- and "seize full remote control at all possible levels," Kaspersky's report says.
Modular platforms have been spotted before such as Flame and The Mask/Weevel, but the multi-stage loading technique used by Regin is reminiscent of the Duqu/Stuxnet family, according to Symantec.
6 stages of Regin
There are six stages: The first driver is the only visible piece of the attack on the infected machine -- the next five stages of the attack are encrypted.
"The initial stages involve the installation and configuration of the threat’s internal services. The later stages bring Regin's main payloads into play," Symantec's report says. "The most interesting stages are the executables and data files stored in Stages 4 and 5. The initial Stage 1 driver is the only plainly visible code on the computer. All other stages are stored as encrypted data blobs, as a file or within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of disk."
Even so, researchers are still not yet sure just how Regin infects the machines initially. There have been no confirmations of particular zero-day exploits or other methods. Most likely, the attackers use a range of initial attack vectors. Regin has at least a dozen different exfiltration options.
"We don't know how it gets onto the machines... It could be a driveby, a link or executable sent in email. That particular piece was not found, but our guess is the dropper at Stage 0 is probably never resident on the machine," says Kevin Haley, director of security response at Symantec.
Haley says Regin appears to be a rare comprehensive cyber espionage malware platform. "The fact that we haven't found other ones means it's rare," he says.
Meanwhile, not everyone agrees that Regin is all that stealthy. Ken Westin, a security analyst with Tripwire, says Regin's file changes and registry key changes could be detected by any organization monitoring for host configuration changes.