Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:40 PM
Connect Directly

Newly Revealed Cyber Espionage Attack 'More Complex' Than Stuxnet, Flame

"Regin" cyber spying platform is reportedly behind cyber spying against a Belgian telecommunications provider, which was revealed in leaked NSA documents.

First there was Stuxnet and Flame, and now there's an even more sophisticated, stealthy, and powerful cyber espionage attack called Regin that dates back as far as 2003 and has been found infecting machines in more than a dozen countries.

Symantec and Kaspersky Lab have each published their separate findings on Regin, a modular malware platform that has targeted Windows machines in telecommunications operators, governments, financial institutions, researchers, governments, small businesses, and individuals associated with cryptography research.

The attackers behind Regin most likely involve a nation-state, given the resources and investment required to design it and the persistent, long-term surveillance operations it appears to support. The code appears to be written in English, according to Symantec, which first went public with its research yesterday. Researchers say they probably have only scratched the surface of Regin, and there likely are other variants and features yet to be discovered.

Regin's targets so far have been found located in the Russian Federation -- 28% of the victims -- and Saudi Arabia, with 24% of the victims, according to Symantec. Users in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria, Pakistan, Algeria, Brazil, Fiji, Germany, Indonesia, Malaysia, Kiribati, and Syria also were found infected with the malware, Symantec and Kaspersky's research shows.

Conspicuously missing as victims of Regin are residents of the US as well as many Western European countries including the UK, but neither Symantec nor Kaspersky would confirm who might be behind Regin. F-Secure today said it does not originate from Russia or China. Meanwhile, a report by The Intercept today attributes the attack to the UK, specifically in the case of attacks on Belgian ISP and telecommunications firm Belgacom as part of the UK's Government Communications Headquarters' surveillance program, which came to light in NSA documents leaked by Edward Snowden.

"There is information and a certain level of indication that show Regin was possibly used by GCHQ in some attacks... However, these are just partially confirmed. And still, it is an interesting question if GCHQ or the UK developed these tools alone, or these attacks were part of a collaboration between countries [such as] the US, UK, and others, for what we saw in many leaked materials from Snowden," says Boldizsar Bencsath of the Laboratory of Cryptography and Systems Security at the Budapest University of Technology and Economics.

One of Regin's more powerful modules allows the malware to monitor GSM base station controllers. Kaspersky Lab found that in April 2008, the attackers behind Regin captured administrative login credentials that would let them "manipulate" a GSM network in a Middle Eastern country, the name of which the researchers would not disclose. With access to the base controllers, the attackers could redirect calls or shut down the mobile network, the researchers say.

"Regin is definitively in a category of its own. It's definitively more complex than Stuxnet and Flame when it comes to the design of the platform, functionality, or flexibility," says Costin Raiu, director of the global research and analysis team at Kaspersky Lab.

Raiu says Regin is also more compact: While a fully deployed Flame infection came in at 20 megabytes, Regin is about 8 megabytes, including its virtual file system, in size and packs the same punch as Flame, or more. "I'd say Regin is probably older than Stuxnet and Flame and more sophisticated," he says.

Victims victimizing victims
Regin includes various tools, and comes with an intricate and highly stealthy communications technique to control the infected networks that involves the victim organizations communicating via a peer-to-peer network. Kaspersky Lab spotted victims in a Middle East country doing just that: "This case was mind-blowing, so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank," according to the Kaspersky report.

The infected machines communicate via HTTP and Windows network connections as a way for the attackers to burrow deep into their target networks, bypass air gaps, and minimize traffic to the command and control server so as to remain under the radar.

In this case, one of the victims had what Kaspersky calls a "translation drone" that communicated with a C&C outside its home country, in India.

Kaspersky spotted 27 different victims, and Symantec found 1,000 infected machines from around the globe, but both companies say this only scratches the surface of the potential victims.

Regin is basically a platform with multiple modules that could wrest control of their target's network -- and "seize full remote control at all possible levels," Kaspersky's report says.

Modular platforms have been spotted before such as Flame and The Mask/Weevel, but the multi-stage loading technique used by Regin is reminiscent of the Duqu/Stuxnet family, according to Symantec.

6 stages of Regin
There are six stages: The first driver is the only visible piece of the attack on the infected machine -- the next five stages of the attack are encrypted.

"The initial stages involve the installation and configuration of the threat’s internal services. The later stages bring Regin's main payloads into play," Symantec's report says. "The most interesting stages are the executables and data files stored in Stages 4 and 5. The initial Stage 1 driver is the only plainly visible code on the computer. All other stages are stored as encrypted data blobs, as a file or within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of disk."

Even so, researchers are still not yet sure just how Regin infects the machines initially. There have been no confirmations of particular zero-day exploits or other methods. Most likely, the attackers use a range of initial attack vectors. Regin has at least a dozen different exfiltration options.

"We don't know how it gets onto the machines... It could be a driveby, a link or executable sent in email. That particular piece was not found, but our guess is the dropper at Stage 0 is probably never resident on the machine," says Kevin Haley, director of security response at Symantec.

Haley says Regin appears to be a rare comprehensive cyber espionage malware platform. "The fact that we haven't found other ones means it's rare," he says.

Meanwhile, not everyone agrees that Regin is all that stealthy. Ken Westin, a security analyst with Tripwire, says Regin's file changes and registry key changes could be detected by any organization monitoring for host configuration changes. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
11/26/2014 | 10:24:14 AM
Re: heuristic
And what we tend to forget is it all depends on who their customers are. =)
Some Guy
Some Guy,
User Rank: Moderator
11/25/2014 | 6:41:23 PM
Re: Attack vector
Double-Oh's with a memory stick? :)
User Rank: Guru
11/25/2014 | 4:51:23 PM
Re: heuristic
That depends on their level of competence. The heuristics monitor application behavior and communcation. If the heuristic does not "understand", it sends to the antivirus(malware)maker for human to "research". Some "researchers" are really good researchers. Some takes them forever. And some have no clue :)
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
11/25/2014 | 2:54:41 PM
Re: heuristic
I'm always curious about how long it takes a security firm to identify a new malware sample they find on a customer's machine as an APT-type threat....Symantec has been studying Regin since last fall.
User Rank: Guru
11/25/2014 | 1:22:46 PM
So basically, Symantec is saying that their heuristic and other antiviruses' heuristics are useless. Except well known viruses/malware, they can't catch anything.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
11/25/2014 | 11:53:15 AM
Re: Attack vector
There are so many intriguing elements about Regin: the platform itself, the way it hides among the victims to talk to the C&C server, and of course the nations that are conspicuously missing from the victim list. ;-)

And that they haven't yet found the initial attack vector/s is also interesting. What, if any, 0days were used?

A lot still to come.
User Rank: Ninja
11/24/2014 | 8:28:16 PM
Attack vector
Definitely complex. Will be interested to see as more comes out about it what the initial attack vector was.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.