The Regin Platform
Virus Type: Malware / Advanced Persistent Threat (APT)
What is Regin?
Regin is a cyber-attack platform capable of monitoring GSM networks in addition to other “standard” spying tasks.
In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels. With a platform that is extremely modular in nature, it has multiple stages to accomplish various parts of the attack.
The malware can collect keylogs, make screenshots, steal any file from the system, extract emails from MS Exchange servers and any data from network traffic.
Also the attackers can compromise GSM Base Station Controllers, which are computers controlling the GSM infrastructure. This allows them to control GSM networks and launch other types of attacks, including the interception of calls and SMSes.
How is this different from any other APT attack?
It is one of the most sophisticated attacks we’ve ever observed. From some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analyzed. The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations.
Who are the victims? / What can you say about the targets of the attacks?
The victims of Regin fall into the following categories:
- Telecom operators
- Government institutions
- Multi-national political bodies
- Financial institutions
- Research institutions
- Individuals involved in advanced mathematical/cryptographical research
So far, we've observed two main objectives from the attackers:
- Intelligence gathering
- Facilitating other types of attacks
So far, victims of Regin were identified in 14 countries:
In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.
Is this a nation-state sponsored attack?
Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state.
What country is behind Regin?
Attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin.
Does Kaspersky Lab detect all variants of this malware?
Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin.
Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?
Yes, IOC information has been included in our detailed technical research paper.