Regin spyware found to target GSM networks

Despite become desensitised to news that government security agencies regularly eavesdrop on individuals and companies, and indeed other governments, and that they have created vast data gathering and analysis tools, the revelation over the weekend of the Regin spyware still came as a shock.

It is believed that Regin was first created back in 2003 as a cyber-attack platform, focused on governments, financial establishments, research institutions, those involved in cryptographical research, and of course telcos. Regin is a reversal of the term “In Registry”, and apparently refers to its ability to store its components within computer registries. Despite being operational for over a decade (the most recent reported use was in Spring this year), Regin wasn’t identified until 2008 – and was only known as Regin from 2011.

Symantec first published news of Regin on Sunday, describing it as “a back door-type Trojan” and “a complex piece of malware whose structure displays a degree of technical competence rarely seen”. It added that: “It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber-espionage tools used by a nation state.”

So far, Regin has been identified in 14 countries: Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia and Syria. Note the countries that are not included: the US, UK and China for example. When you reconcile this with the fact that all security experts are saying that Regin was most likely developed by a nation-state, then you start to narrow down likely suspects.

One news source links it to an attack on Belgacom, which Germany’s Der Spiegel uncovered in September 2013 as part of the Edward Snowden saga. It implied that the UK’s GCHQ was behind the attack, in order to spy on the telco’s most high profile customers – the European Parliament and European Commission.

“The platform reminds us of another sophisticated malware: Turla,” said analysts at Kaspersky Lab, who have been investigating the malware independently of Symmantec. “Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed.”

Now, Kaspersky Labs have discovered that Regin has successfully broken through the security of GSM cellular networks. The security specialists described how they discovered a Regin infection in the network of an unnamed large GSM operator, located on the activity log of a base station controller.

The malware was able to successfully issue a number of OSS MML commands relating to cell functions in the network. Over a period of a month back in 2008, the malware executed commands on 136 different cells via the BSC.

“The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations,” said the Kaspersky Lab team. “In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.”