“Groundbreaking” state spyware targeted airlines and energy firms
The security firm Symantec has detailed a highly sophisticated piece of spyware called Regin, which it reckons is probably a key intelligence-gathering tool in a nation state’s digital armory. Its targets have included individuals, small businesses, telecommunications firms, energy firms, airlines, research institutes and government agencies.
In a whitepaper, Symantec described Regin as “groundbreaking and almost peerless.” Regin comprises six stages, each triggered by the last, with each (barring the initial infection stage) remaining encrypted until called upon by the last. It can deploy modules that are “tailored to the target.” According to the firm, it was used between 2008 and 2011, when it disappeared before a new version appeared in 2013.
The targets fell victim to the malware in a variety of ways, including by being tricked into visiting phoney versions of well-known websites. “There are dozens of Regin payloads,” a Sunday blog post explained.
“The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.”
Symantec suggested that Regin has mostly been used to target entities in Russia and Saudi Arabia, but has also been found in Ireland, Mexico, India, Afghanistan, Iran, Belgium, Austria and Pakistan.
“The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible,” the post stated. “Its design makes it highly suited for persistent, long term surveillance operations against targets.”
It appears that Regin has western origins see below for details.
‘Regin’ malware comes from western intelligence agency, say experts
Here is another interesting resource that people will be interested in.
The Regin Espionage Toolkit
Regin is the latest in the line of sophisticated espionage toolkits used to target a range of organizations around the world. As already reported, it’s one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe.
The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of “pciclass.sys” seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin.
Regin File Header
As can be seen from the screenshot above, the driver was apparently compiled already on 7th of March 2008, but other samples with earlier timestamps indicate that the campaign is even older than this.
The driver turned out to be just one component of a multi-stage threat. The embedded configuration in the driver showed it could use either a registry key or the NTFS filesystem Extended Attributes to load the next stage of the malware.
We’ve seen at least the following registry keys being used for the next stage payload:
The following folders containing an NTFS Extended Attribute with the name “_” have also been seen to store the next stage payload, which can actually be split between two different attributes:
During 2013 and 2014, as we have been analyzing the later versions of Regin, the complexity and the level of sophistication in the attacks has become very evident. We would place Regin in the same category of highly sophisticated espionage campaigns together with the likes of Stuxnet, Flame, and Turla/Snake.
As always, attribution is difficult with cases like this. Our belief is that this malware, for a change, isn’t coming from Russia or China.
Interesting perspective from Kaspersky.
Kaspersky – “We didn’t hide Regin”
Kaspersky Labs issues blog saying “We didn’t hide Regin”
After last weeks unseemly claim and counterclaim from security vendors over Regin, Kaspersky has published a blog saying nobody hid the malware. This is an important move by Kaspersky as this is not the first time an APT has been uncovered with claims it has been around for years causing people to cry foul at the security industry.
In the blog titled: “The Art of Finding Cyber-Dinosaur Skeletons”, Kaspersky say APT research is like palaeontology. While there is more than a little hyperbole in this, there are some hard facts and truths that Kaspersky highlight and which bear repeating.
Security brreaches like Regin are incredibly complex and take a lot of time to properly understand. Part of that understanding is not just to identify the malware but also to understand what it does, how it works, how it gets into the organisation and who the perpetrators are. Incomplete information can cause more damage than good as people scramble to implement a poor solution in the belief that they are now secure.
This is what we saw with OpenSSL and the Heartbleed attack. In this case, vendors issued poorly crafted advice as to how to patch systems and end users failed to complete all the steps in the right order. The result, as evidenced by Netcraft was that companies thought they were safe but in fact, were still wide open to attack. For a number of companies, that is still the case as they haven’t taken any additional remedial action.
In the case of Regin, Kaspersky make it clear that while they had information around the attack there were NDA’s in place with customers and they had to abide by the confidentiality in the documents. This is no different from the way security researchers work with vendors when they discover an exploit. The industry has a well proven process that provides for a researcher to pass details to a vendor, allow that vendor time to remediate and then publish the details when there is a fix. It is not a perfect system but it does work.
To help understand the difference between dealing with an exploit such as Heartbleed and an APT like Regin, Kaspersky has conveniently laid out 15 steps that they take when researching an APT. This is the first time I can recall a vendor doing this and it makes for some interesting reading. It also provides some useful insights for internal security teams as to how they can create a process to track attacks that they detect, something that will become more common as security analytics gain greater use internally.
One of the problems for Kaspersky is they claim that they only started tracking Regin back in 2012 but identified that it had taken control of a Middle East 3G network back in 2008. If there was enough information to prove Regin could take control of critical infrastructure, then Kaspersky should at least have issued a warning to governments and telcos immediately.
Were Kaspersky or any of the other security companies negligent in not disclosing Regin earlier? In their defence, Kaspersky say that they process thousands of samples of malware every day and linking them together to find the right story is hard. However when the evidence of the 3G attack was found many will feel that the failure to immediately set alarm bells ringing raises concerns about the process.
Irrespective of right and wrong, Kaspersky has done the right thing here by not only getting out in front of the allegations of poor practice but also disclosing the process of tracking an APT. This won’t be the last we hear of Regin, there are already claims that it was created by the UK and US governments, but hopefully it will settle the issue of when information around an APT should be disclosed.