The world is today learning more about the super-spying software known as Regin, which appears to have given an as-yet-unidentified nation’s spy agencies unprecedented access to Internet and telecom companies in at least 18 countries since about 2008 — maybe earlier.
First revealed by Symantec yesterday, there was new information today from Kaspersky Labs, the Russian computer security firm. In a blog post that pulls highlights from a more detailed technical paper, the firm says it has been tracking the malware for two years.
The intended victims appear to be certain customers of the targeted ISPs and telecom companies. But Kaspersky notes a few classes of victims that Symantec did not: Government agencies, financial institutions and individuals doing advanced research into mathematics and cryptology.
One specific victim is the Belgian researcher Jean Jacques Quisquater, who earlier this year announced that he had been targeted in a sophisticated intrusion. “We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform,” Kaspersky said in the post. Also hit was the Belgian telecom provider Belgacom.
Easily the most interesting and ominous disclosure from Kaspersky is the fact that the Regin malware was used to compromise GSM wireless phone base stations. Rather than hitting individual cell sites — or “base stations,” as they’re known — Regin was used to attack what are called Base Station Controllers, systems that manage several individual cell sites at a time.
Whoever the attackers were — and more on that in a minute — they were able to send commands to at least 136 different cell sites. Kaspersky obtained a log of those commands issued during a one-month period in 2008. Other similar logs were likely deleted, or the attack may have stopped for unknown reasons, the firm says. “It is unknown why the commands stopped in May 2008 … Perhaps the infection was removed or the attackers achieved their objective and moved on,” the firm said. “Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that’s why only some older logs were discovered.”
The Regin malware was designed to quietly send the information it gathered to external machines known as “command and control,” or C&C, servers. Kaspersky tracked down the IP addresses of at least four of them. Two were in India, one was in Taiwan and one was in Belgium. That, however, doesn’t implicate those countries — anyone can easily set up a server in practically any country in the world.
There was an especially egregious case in a Middle Eastern country that Kaspersky did not name — a specific group of victims including one in the office of that country’s president, a bank and a research institution. “In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president’s office, a research center, an educational institution network and a bank,” Kaspersky said. One of the victims was given software that both translated their conversations and then forwarded them to a C&C server in India.
The list of potential countries is short as there are only a half dozen countries in that region with presidents for heads of state, and almost any of them would be a logical bet as the victim: Syria, Iran, Pakistan, Afghanistan, Iraq and Egypt.
Kaspersky also identified several new countries that were on the list of those targeted. Some unusual ones include the Pacific Island nations of Kiribati and Fiji. Other new entrants on the list include Syria, Malaysia and Indonesia.
So who carried out this attack? That question of “attribution” is always a tricky one. But there are some interesting coincidences. The folks at The Intercept argue that some of the victims line up nicely with a list of entities that were previously said to have been attacked by the U.S. NSA in cooperation with the GCHQ, the British signals intelligence agency. A report in the German magazine Der Spiegel suggested that the Belgacom attack specifically may have been carried out by the NSA and GCHQ.
As yet it’s still unclear how it spreads. As Symantec noted yesterday, there has been an instance where it was found to be spreading via Yahoo Instant Messenger, but otherwise the working hypothesis is that a targeted person’s Web browser is hijacked and they are taken to a site that looks legit, but which serves up the first stage of the Regin malware, which in turn downloads and installs the additional four stages to follow. Kim Zetter at Wired has also written an impressive tick-tock on how the malware works when it attacks and the timeline of the various discoveries that led us to this point. Expect further news in the coming days as more people take this malware apart.
This article originally appeared on Recode.net.
