Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer

Piecing together new information from various researchers, it's clear the 'Regin" malware is one of the most sophisticated nation-state spy tools ever found.
gianthandworldrm
Man balancing globe on fingerNeil Tony/Ikon Images/Getty Images/WIRED

It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion into the EU's legislative body was sophisticated and widespread and used a zero-day exploit to get in. Once the attackers established a stronghold on the network, they were in for the long haul. They scouted the network architecture for additional victims and covered their tracks well. Eventually, they infected numerous systems belonging to the European Commission and the European Council before being discovered.

Two years later another big target was hacked. This time it was Belgacom, the partly state-owned Belgian telecom. In this case, too, the attack was sophisticated and complex. According to published news reports and documents leaked by Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials to gain access to routers controlling the telecom's cellular network. Belgacom publicly acknowledged the hack, but has never provided details about the breach.

Then five months after that announcement, news of another high-profile breach emerged---this one another sophisticated hack targeting prominent Belgian cryptographer Jean-Jacques Quisquater.

Now it appears that security researchers have found the massive digital spy tool used in all three attacks. Dubbed "Regin" by Microsoft, more than a hundred victims have been found to date, but there are likely many others still unknown. That's because the espionage tool---a malicious platform capable of taking over entire networks and infrastructures---has been around since at least 2008, possibly even earlier, and is built to remain stealth on a system for years.

The threat has been known since at least 2011, around the time the EU was hacked and some of the attack files made their way to Microsoft, who added detection for the component to its security software. Researchers with Kaspersky Lab only began tracking the threat in 2012, collecting bits and pieces of the massive threat. Symantec began investigating it in 2013 after some of its customers were infected. Putting together information from each, it's clear the platform is highly complex and modulated and can be customized with a wide range of capabilities depending on the target and the attackers' needs. Researchers have found 50 payloads so far for stealing files and other data, but have evidence that still more exist.

"It's a threat that everyone has detected for some time, but no one has exposed [until now]," says Eric Chien, technical director of Symantec's Security Technology and Response division.

The Most Sophisticated Spy Tool Yet

The researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to date---more complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet.

"In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless," writes Symantec in its report about Regin.

Though no one is willing to speculate on the record about Regin's source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA. Kaspersky confirms that Quisqater was infected with Regin, and other researchers familiar with the Belgacom attack have told WIRED that the description of Regin fits the malware that targeted the telecom, though the malicious files used in that attack were given a different name, based on something investigators found inside the platform's main file.

A pedestrian walks outside Berlaymont, the headquarters of the European Commission in Brussels, Belgium.

Winfried Rothermel/dapd/AP

Victims are located in multiple countries. Kaspersky has found them in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Malaysia, Syria, Pakistan, Russia and the small Pacific island nation of Kiribati. The majority of victims Symantec has tracked are located in Russia and Saudi Arabia.

Targets include entire networks, not just individuals, among them telecoms in multiple countries, as well as government agencies, research institutes and academics (particularly those doing advanced mathematics and cryptography, like Quisquater). Symantec has also found hotels infected. These are likely targeted for their reservation systems, which can provide valuable intelligence about visiting guests.

But perhaps the most significant aspect of Regin is its ability to target GSM base stations of cellular networks. The malicious arsenal includes a payload that Kaspersky says was used in 2008 to steal the usernames and passwords of system administrators of a telecom somewhere in the Middle East. Armed with these credentials, the attackers would have been able to access GSM base station controllers---the part of a cellular network that controls transceiver stations---to manipulate the systems or even install malicious code to monitor cellular traffic. They could also conceivably have shut down the cellular network---for example, during an invasion of the country or other unrest.

Kaspersky won't identify the telecom or country where this GSM attack hack occurred, but suggests it's either Afghanistan, Iran, Syria or Pakistan, as out of Kaspersky's list of countries with Regin infections, only these four are in the region popularly considered the Middle East. Afghanistan stands out among the four, having been the only one cited in recent news stories about government hacking of GSM networks. Although most authorities would place it in South Asia, it is often popularly identified as being part of the Middle East.

Earlier this year, news reports based on documents leaked by Edward Snowden revealed two NSA operations codenamed MYSTIC and SOMALGET that involved hijacking the mobile network of several countries to collect metadata on every mobile call to and from these nations and, in at least two countries, to covertly record and store the full audio of calls. The countries where metadata was collected were identified as Mexico, Kenya, the Philippines and the island nation of the Bahamas. Countries where full audio was being recorded were identified as the Bahamas and Afghanistan.

The Path to Discovery

The Regin platform made its first public appearance in 2009 when someone uploaded components of the tool to the VirusTotal web site. VirusTotal is a free web site that aggregates dozens of anti-virus scanners. Researchers, and anyone else who finds a suspicious file on their system, can upload the file to the site to see if the scanners consider it malicious.

No one apparently noticed this upload in 2009, however. It wasn't until March 9, 2011 that Microsoft appeared to take note, around the time that more files were uploaded to VirusTotal, and announced that the company had added detection for a trojan called Regin.A to its security software. The following day, it made the same announcement about a variant called Regin.B. Some in the security community believe the files uploaded to VirusTotal in 2011 might have come from the European Commission or from a security firm hired to investigate its breach.

Guido Vervaet, the EU Commission's director of security who helped investigate the breach, wouldn't discuss it other than to say it was "quite" extensive and very sophisticated, with a "complex architecture." He says the attackers used a zero-day exploit to get in but wouldn't say what vulnerability they attacked. The attack was uncovered by system administrators only when systems began malfunctioning. Asked if the attackers used the same malware that struck Belgacom, Vervaet couldn't say for sure. "It was not one piece of software; it was an architecture [that] was not just one component but a series of elements working together. We have analyzed the architecture of the attack, which was quite sophisticated and similar to other cases that we know of in other organizations" but internally they were unable to come to any conclusion "that it was the same attack or the same wrongdoers."

Vervaet wouldn't say when the intrusion began or how long the invaders had been in the EU network, but documents released by Snowden last year discussed NSA operations that had targeted the EU Commission and Council. Those documents were dated 2010.

There are currently two known versions of the Regin platform in the wild. Version 1.0 dates back to at least 2008 but disappeared in 2011 the same year Microsoft released signatures to detect its trojan. Version 2.0 popped up in 2013, though it may have been used earlier than this. Researchers have found some Regin files with timestamps dating to 2003 and 2006, though it's not clear if the timestamps are accurate.

__Liam O'Murchu, senior manager in Symantec's threat response group, says the threat landscape in 2008 was much different than it is today and this likely contributed to Regin remaining stealth for so long. "I don't think we realized attackers were working on this level until we saw things like Stuxnet and Duqu and we realized they'd been on this level for quite some time." __ Those discoveries prompted researchers to begin looking for threats in different ways.

Anatomy of a Massive Attack Machine
Graphic courtesy of Symantec

It's unclear how the first infections occur. Neither Symantec nor Kaspersky has uncovered a dropper component (a phishing email containing an exploit that drops the malware onto a machine or entices victims to click on a malicious link), but based on evidence in one attack from 2011, Symantec thinks the attackers might have used a zero-day vulnerability in Yahoo Instant Messenger. But Chien says the attackers probably used multiple techniques to get into different environments. Reports about the hack of Belgacom describe a more sophisticated man-in-the-middle technique that involved using a rogue server to hijack the browser of Belgacom system administrators and redirect them to web pages the attackers controlled that infected their machines with malware.

Regardless of how it first gets into a machine, the Regin attack unfolds in five stages. Stages one through three load the attack and configure its architecture, while stages four and five launch the payloads. Among the payload options are a remote access trojan that gives the attackers backdoor access to infected systems, a keystroke logger and clip board sniffer, a password sniffer, modules to collect information about USB devices connected to the infected system, and an email extraction module called U_STARBUCKS. Regin can also scan for deleted files and retrieve them.

The execution of components is orchestrated by an elaborate component that researchers have dubbed the "conductor." This is "the brain of the whole platform," says Costin Raiu, head of Kaspersky's Global Research and Analysis Team.

Regin uses a nested decrypting technique, decrypting itself in stages, with the key for decrypting each component in the component that precedes it. This made it difficult for researchers to examine the threat in the beginning when they didn't have all of the components and all of the keys.

Regin also uses an unusual technique in some cases to hide its data, by storing it in the Extended Attributes portion of Windows. Extended Attributes is a storage area for metadata associated with files and directories, such as when a file was created or last altered or whether an executable program was downloaded from the internet (and therefore needs a prompt warning users before opening). Extended Attributes limits the size of data blocks it can store, so Regin splits the data it wants to store into separate encrypted chunks to hide them. When it needs to use this data, the conductor links the chunks together so they can execute like a single file.

The attackers also use a complex communication structure to manage the large scope of network-wide infections. Instead of communicating directly with the attackers' command servers, each system talks only to other machines on the network and with a single node that acts as a hub to communicate with command servers. This reduces the amount of traffic leaving the network and the number of machines communicating with a strange server outside the network, which can draw suspicion. It also allows the attackers to communicate with systems inside the organization that might not even be connected to the internet.

'It's Totally Crazy': The Middle-Eastern Hacks

The most elaborate and extensive infection Kaspersky saw that used this technique occurred in a Middle Eastern country the researchers decline to name. They call the infection "mind-blowing" and say in their report that it consisted of an elaborate web of networks the attackers infected and then linked together. These include networks for the office of the president of the country, a research center, an educational institute that from its name appears to be a mathematics institute, and a bank. In this case, instead of having each of the infected networks communicate with the attackers's command server individually, the attackers set up an elaborate covert communication web between them so that commands and information passed between them as if through a peer-to-peer network. All of the infected networks then interfaced with one system at the educational institute, which served as a hub for communicating with the attackers.

"It's totally crazy," says Raiu."The idea is to have one single control mechanism for the whole country so they can just run one command, and that command is replicated between all the members on the peer-to-peer network."

The connections between infected machines and networks are encrypted, with each infected node using a public and private key to encrypt traffic exchanged between them.

Kaspersky refers to the educational institute as the "Magnet of Threats" because they found all sorts of other advanced threats infesting its network---including the well-known Mask malware and Turla---all co-existing peacefully with Regin.

Kaspersky

But on par with this attack was one that occurred in another Middle East country against the GSM network of a large, unidentified telecom. The Kaspersky researchers say they found what appears to be an activity log the attackers used to collect commands and login credentials for one of the telecom's GSM base station controllers. The log, about 70 KB in size, contains hundreds of commands sent to the base station controller between April 25 and May 27 of 2008. It's unclear how many of the commands were sent by telecom administrators or by the attackers themselves in an attempt to control base stations.

The commands, which Kaspersky identified as Ericsson OSS MML commands, are used for checking the software version on a base station controller, retrieving a list of the call forwarding settings for the mobile station, enabling call forwarding, listing the transceiver route for a particular cell tower, activating and deactivating cell towers in the GSM network, and adding frequencies to the active list of frequencies used by the network. The log shows commands going to 136 different GSM cell sites---cell sites with names like prn021a, gzn010a, wdk004, and kbl027a. In addition to commands, the log also shows usernames and passwords for the telecom's engineer accounts.

"They found a computer that manages a base station controller, and that base station controller is able to reach out to hundreds of cells," says Raiu. He says there are two or three GSM operators in the targeted country and the one the attackers targeted is the largest. He doesn't know if the others were infected as well.

Both of these infections---targeting the GSM network and the presidential network---appear to be ongoing. As news of the Regin attack spreads and more security firms add detection for it to their tools, the number of victims uncovered will no doubt grow.