









The biggest security news of the week revolves around Symantec’s comprehensive report about Regin, a sophisticated piece of malware which has been tracked back as far as 2008. It’s a story similar to leaks about the NSA’s mass surveillance capabilities last year which – until Edward Snowden’s revelations – was something we knew existed but didn’t realise as to what extent.

One particular case in the Middle East has victims creating a mass peer-to-peer network

You might think this is a strange analogy to use, but Symantec believes Regin was designed by the government for surveillance purposes. The complex malware was used to infiltrate Belgian carrier Belgacom, and cryptographer Jean-Jacques Quisquater, in two intrusions which have been linked to the NSA and Britain’s GCHQ.

An attack with the characteristics of Regin was also used to hack into the EU Commission in 2011 – but its origin is unconfirmed. “Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years,” Symantec said in a statement. “Even when its presence is detected, it is very difficult to ascertain what it is doing.”

Kaspersky notes the following as intended Regin victims:

Telecom operators

Government institutions

Multi-national political bodies

Financial institutions

Research institutions

Individuals involved in advanced mathematical/cryptographical research

Regin compromises GSM base stations used by cellular providers – as found through some further sleuthing by Kaspersky Labs. The base station is responsible for allocating radio resources for a mobile call and establishes a handover between other base stations where appropriate. Needless to say, it’s easy to see why this would be a high-value target for surveillance agencies.

Kaspersky obtained a log of a compromised base station and decoded the commands used:

rxmop – check software version type;

– check software version type; rxmsp – list current call forwarding settings of the Mobile Station;

– list current call forwarding settings of the Mobile Station; rlcrp – list off call forwarding settings for the Base Station Controller;

– list off call forwarding settings for the Base Station Controller; rxble – enable (unblock) call forwarding;

– enable (unblock) call forwarding; rxtcp – show the Transceiver Group of particular cell;

– show the Transceiver Group of particular cell; allip – show external alarm;

– show external alarm; dtstp – show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the connected PCM (Pulse Code Modulation) lines);

– show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the connected PCM (Pulse Code Modulation) lines); rlstc – activate cell(s) in the GSM network;

– activate cell(s) in the GSM network; rlstp – stop cell(s) in the GSM network;

– stop cell(s) in the GSM network; rlmfc – add frequencies to the active broadcast control channel allocation list;

– add frequencies to the active broadcast control channel allocation list; rlnri – add cell neightbour;

– add cell neightbour; rrtpp – show radio transmission transcoder pool details;

The two main objectives of Regin are for intelligence gathering and attempts to facilitate further attacks. In most cases, GSM networks were left untouched and the malware was used to extract information such as emails and documents from infected computers.

An attack with the characteristics of Regin was also used to hack into the EU Commission in 2011 – but its origin is unconfirmed.

One particular case in the Middle East – which Kaspersky describes as “mind-blowing” – has victims creating a mass peer-to-peer network and includes the president’s office, a research center, educational institution network, and a bank. It allows traffic to be routed through another source on the network to reduce suspicions of malicious activity; such as the bank to the president’s office.

So far, Regin has been detected in 14 countries across 27 different victims (a “victim” being an entire network – which consists of many unique PCs.) The malware still appears to be active from the most recent sample found in spring of 2014, and could have been upgraded to become even more sophisticated.

Do you think governments should launch malware attacks? Let us know in the comments.