The World Research and Analysis Group of the Kaspersky Lab has published a survey on Regin, the first digital attack platform to penetrate and monitor GSM networks, while carrying out other "typical" espionage work. Attackers behind the platform have infringed computer networks in at least 14 countries.
Basic information:
- The victims of the attack include mainly telecommunications providers, government agencies, financial and research organizations, transnational political bodies and individuals involved in research in advanced mathematics and encryption.
- Victims have been identified in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria and Russia.
- The platform Regin consists of many malicious tools that can violate the entire network of an attacked organization. It uses an incredibly complicated method of communication between "infected" networks and the Command & Control servers, allowing remote control and data transfer with privacy.
- A specific unit of the Regin it is capable of tracking station controllers baseς GSM, which collect data about network cells GSM and network infrastructure.
- Over the course of a single month (April 2008), attackers collected administrator credentials that would allow them to manipulatetreatmentyou are a network GSM which was in a Middle Eastern country.
- Some of the first samples of the platform Regin seems to have already been created by 2003.
In the spring of 2012, Kaspersky Lab experts first grasped Regin malware, which seemed to be part of a complicated espionage campaign. For nearly three years, malware has been traced around the world. At times, samples appeared in various multi-scanner services, but they were all irrelevant to each other, with enigmatic functionality and without a specific context. However, Kaspersky Lab specialists were able to isolate specimens involved in various attacks, including those against government agencies and telecommunications providers. These samples provided sufficient information to carry out a more in-depth investigation into this threat.
The study of the company's experts found that Regin is not just a malicious program, but a platform, a multi-unit software package that can "pollute" the entire network of target organizations to gain full remote control every level that was possible. The purpose of Regin is to collect confidential data through attacked networks and to perform many other types of attacks.
The agent behind the Regin platform has a very well-developed method for controlling "infected" networks. Kaspersky Lab experts identified several organizations at risk in one country, but only one of them was scheduled to communicate with the Command & Control server in another country.
However, all of Regin's victims in the area were united into one peer-to-peer network, which looked like a VPN network, which allowed them to communicate with each other. Thus, the attackers turned the compromised organizations into one very large, unified victim and were able to send commands and intercept information through a single entry point. According to Kaspersky Lab's research, this structure allowed the agent to operate quietly for many years without raising suspicion.
The most original and interesting feature of the Regin platform, however, is its ability to attack GSM networks. According to an activity log on a GSM base station controller studied by researchers by Kaspersky Lab, attackers were able to obtain credentials that would allow them to control the GSM cells of a major mobile phone company's network. This means they could access information about which calls are being processed by a particular GSM cell, redirect calls to other cells, activate neighboring cells, and perform other offensive activities. Currently, the attackers behind Regin are the only ones known to have been able to carry out such operations.
"The ability to penetrate and monitor networks GSM is perhaps the most unusual and interesting aspect of these works. Today, we are quite dependent on mobile networks based on "ancient" communication protocols, which offer little or no security to the end user. Although all GSM networks have built-in mechanisms that allow actors such as law enforcement authorities to track down suspicious, there are other factors that can bypass this feature and abuse it to carry out attacks against mobile phone users ", said Costin Raiu, Director of Kaspersky Lab's Worldwide Research and Analysis Group.
More information about the Regin platform is available at Securelist.com.
