Skip to main content

Woburn, MA – November 24, 2014 – The Kaspersky Lab Global Research and Analysis Team has published its research on Regin – the first cyber-attack platform known to penetrate and monitor GSM networks in addition to other “standard” spying tasks. The attackers behind this platform have compromised computer networks in at least 14 countries around the world.

Quick facts:

  • The main victims of this actor are: telecom operators, governments, financial institutions, research organizations, multinational political bodies and individuals involved in advanced mathematical/cryptographical research.
  • Victims of this actor have been found in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria and Russia.
  • The Regin platform consists of multiple malicious tools capable of compromising the entire network of an attacked organization The Regin platform uses an incredibly complex communication method between infected networks and command and control servers, allowing remote control and data transmission by stealth.
  • One particular Regin module is capable of monitoring GSM base station controllers, collecting data about  GSM cells and the network infrastructure.
  • Over the course of a single month in April 2008 the attackers collected administrative credentials that would allow them to manipulate a GSM network in a Middle Eastern country.
  • Some of the earliest samples of Regin appear to have been created as early as 2003.

In spring 2012 Kaspersky Lab experts became aware of Regin malware, which seemed to belong to a sophisticated espionage campaign. For almost three subsequent years Kaspersky Lab’s experts tracked this malware all over the world. From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context. However, Kaspersky Lab experts were able to obtain samples involved in several real world attacks, including those against governmental institutions and telecom operators, and this provided enough information for more in-depth research into this threat.

As a result, the study found that Regin is not just a single malicious program, but a platform – a software package, consisting of multiple modules, capable of infecting the entire networks of targeted organizations to seize full remote control at all possible levels. Regin is aimed at gathering confidential data from attacked networks and performing several other types of attacks.

The actor behind the Regin platform has a well-developed method to control the infected networks. Kaspersky Lab experts observed several compromised organizations in one country, but only one of them was programmed to communicate with the command and control server located in another country.

However all the Regin victims in the region were joined together in a peer-to-peer VPN-like network and able to communicate with each other. Thus, attackers turned compromised organizations in one vast unified victim and were able to send commands and steal the information via a single entry point. According to the Kaspersky Lab research this structure allowed the actor to operate silently for years without raising suspicions.

The most original and interesting feature of the Regin platform, though, is its ability to attack GSM networks. According to an activity log on a GSM Base Station Controller obtained by Kaspersky Lab researchers during the investigation, attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator. This means that they could have had access to information about which calls are processed by a particular cell, redirect these calls to other cells, activate neighbor cells and perform other offensive activities. At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations.

“The ability to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today’s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, other parties can hijack this ability and abuse it to launch different attacks against mobile users,” said Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab.

Read more about the Regin platform on Securelist.com.   

About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact
Sarah Bergeron
781.503.2615
sarah.bergeron@kaspersky.com

The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report ‘Worldwide Endpoint Security 2014–2018 Forecast and 2013 Vendor Shares’ (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.

Regin: A Malicious Platform Capable of Spying on GSM Networks

Regin: A Malicious Platform Capable of Spying on GSM Networks
Kaspersky Logo