Regin: Nation-state ownage of GSM networks - Securelist
Tue, 30 Dec 2014 13:20
Motto: "Beware of Regin, the master! His heart is poisoned. He would be thy bane...""The Story of Siegfried" by James Baldwin Introduction, historyDownload our full Regin paper (PDF).
In the spring of 2012, following a Kaspersky Lab presentation on the unusual facts surrounding the Duqu malware, a security researcher contacted us and mentioned that Duqu reminded him of another high-end malware incident. Although he couldn't share a sample, the third-party researcher mentioned the "Regin" name, a malware attack that is now dreaded by many security administrators in governmental agencies around the world.
For the past two years, we've been tracking this most elusive malware across the world. From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context.
It's unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.
The victims of Regin fall into the following categories:
Telecom operatorsGovernment institutionsMulti-national political bodiesFinancial institutionsResearch institutionsIndividuals involved in advanced mathematical/cryptographical researchSo far, we've observed two main objectives from the attackers:
Intelligence gatheringFacilitating other types of attacksWhile in most cases, the attackers were focused on extracting sensitive information, such as e-mails and documents, we have observed cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks. More about this in the GSM Targeting section below.
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.
Another interesting victim of Regin is a computer we are calling "The Magnet of Threats". This computer belongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.
Initial compromise and lateral movementThe exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement. So far, we have not encountered any exploits. The replication modules are copied to remote computers by using Windows administrative shares and then executed. Obviously, this technique requires administrative privileges inside the victim's network. In several cases, the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple way of achieving immediate administrative access to the entire network.
The Regin platformIn short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.
The platform is extremely modular in nature and has multiple stages.
Regin platform diagram
The first stage ("stage 1") is generally the only executable file that will appear in victim' systems. Further stages are stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries. We've observed many different stage 1 modules, which sometimes have been merged with public sources to achieve a type of polymorphism, complicating the detection process.
The second stage has multiple purposes and can remove the Regin infection from the system if instructed so by the 3rd stage.
The second stage also creates a marker file that can be used to identify the infected machine. Known filenames for this marker are:
%SYSTEMROOT%\system32\nsreg1.dat%SYSTEMROOT%\system32\bssec3.dat%SYSTEMROOT%\system32\msrdc64.datStage 3 exists only on 32 bit systems - on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third stage.
Stage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the user-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or extracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.
The dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines. In essence, the dispatcher is the brain that runs the entire platform.
A thorough description of all malware stages can be found in our full technical paper.
Virtual File Systems (32/64-bit)The most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File Systems (VFSes).
During our analysis we were able to obtain 24 VFSes, from multiple victims around the world. Generally, these have random names and can be located in several places in the infected system. For a full list, including format of the Regin VFSes, see our technical paper.
Unusual modules and artifactsWith high-end APT groups such as the one behind Regin, mistakes are very rare. Nevertheless, they do happen. Some of the VFSes we analyzed contain words which appear to be the respective codenames of the modules deployed on the victim:
legspinv2.6 and LEGSPINv2.6WILLISCHECKv2.0HOPSCOTCHAnother module we found, which is a plugin type 55001.0 references another codename, which is U_STARBUCKS:
GSM TargetingThe most interesting aspect we found so far about Regin is related to an infection of a large GSM operator. One VFS encrypted entry we located had internal id 50049.2 and appears to be an activity log on a GSM Base Station Controller.
According to the GSM documentation (http://www.telecomabc.com/b/bsc.html): "The Base Station Controller (BSC) is in control of and supervises a number of Base Transceiver Stations (BTS). The BSC is responsible for the allocation of radio resources to a mobile call and for the handovers that are made between base stations under his control. Other handovers are under control of theMSC."
Here's a look at the decoded Regin GSM activity log:
This log is about 70KB in size and contains hundreds of entries like the ones above. It also includes timestamps which indicate exactly when the command was executed.
The entries in the log appear to contain Ericsson OSS MML (Man-Machine Language as defined by ITU-T) commands.
Here's a list of some commands issued on the Base Station Controller, together with some of their timestamps:
2008-04-25 11:12:14: rxmop:moty=rxotrx;2008-04-25 11:58:16: rxmsp:moty=rxotrx;2008-04-25 14:37:05: rlcrp:cell=all;2008-04-26 04:48:54: rxble:mo=rxocf-170,subord;2008-04-26 06:16:22: rxtcp:MOty=RXOtg,cell=kst022a;2008-04-26 10:06:03: IOSTP;2008-04-27 03:31:57: rlstc:cell=pty013c,state=active;2008-04-27 06:07:43: allip:acl=a2;2008-04-28 06:27:55: dtstp:DIP=264rbl2;2008-05-02 01:46:02: rlstp:cell=all,state=halted;2008-05-08 06:12:48: rlmfc:cell=NGR035W,mbcchno=83&512&93&90&514&522,listtype=active;2008-05-08 07:33:12: rlnri:cell=NGR058y,cellr=ngr058x;2008-05-12 17:28:29: rrtpp:trapool=all;
Descriptions for the commands:
rxmop - check software version type;rxmsp - list current call forwarding settings of the Mobile Station;rlcrp - list off call forwarding settings for the Base Station Controller;rxble - enable (unblock) call forwarding;rxtcp - show the Transceiver Group of particular cell;allip - show external alarm;dtstp - show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the connected PCM (Pulse Code Modulation) lines);rlstc - activate cell(s) in the GSM network;rlstp - stop cell(s) in the GSM network;rlmfc - add frequencies to the active broadcast control channel allocation list;rlnri - add cell neightbour;rrtpp - show radio transmission transcoder pool details;The log seems to contain not only the executed commands but also usernames and passwords of some engineering accounts:
In total, the log indicates that commands were executed on 136 different cells. Some of the cell names include "prn021a, gzn010a, wdk004, kbl027a, etc...". The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that's why only some older logs were discovered.
Communication and C&CThe C&C mechanism implemented in Regin is extremely sophisticated and relies on communication drones deployed by the attackers throughout the victim networks. Most victims communicate with another machine in their own internal network, through various protocols, as specified in the config file. These include HTTP and Windows network pipes. The purpose of such a complex infrastructure is to achieve two goals: give attackers access deep into the network, potentially bypassing air gaps and restrict as much as possible the traffic to the C&C.
Here's a look at the decoded configurations:
188.8.131.52 transport 50037 0 0 y.y.y.5:80 ; transport 50051 217.y.y.yt:443184.108.40.206 transport 50035 217.x.x.x:443 ; transport 50035 217.x.x.x:443220.127.116.11 transport 27 18.104.22.168 ; transport 50035 194.z.z.z:808051.9.1.3 transport 50035 192.168.3.3:445 ; transport 50035 192.168.3.3:93222.214.171.124 transport 50271 DC ; transport 50271 DC
In the above table, we see configurations extracted from several victims that bridge together infected machines in what appears to be virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out to the "external" C&C server at 126.96.36.199.
The numbers right after the "transport" indicate the plugin that handles the communication. These are in our case:
27 - ICMP network listener using raw sockets50035 - Winsock-based network transport50037 - Network transport over HTTP50051 - Network transport over HTTPS50271 - Network transport over SMB (named pipes)The machines located on the border of the network act as routers, effectively connecting victims from inside the network with C&Cs on the internet.
After decoding all the configurations we've collected, we were able to identify the following external C&Cs.
C&C server IPLocationDescription188.8.131.52Taiwan, Province Of China TaichungChwbn184.108.40.206India, ChetputChennai Network Operations (team-m.co)220.127.116.11India, ThaneInternet Service Provider18.104.22.168Belgium, BrusselsPerceval S.a.One particular case includes a country in the Middle East. This case was mind-blowing so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank.
These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India.
This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president's office are sent through the bank's network, then all the malicious traffic visible for the president's office sysadmins will be only with the bank, in the same country.
Victim StatisticsOver the past two years, we collected statistics about the attacks and victims of Regin. These were aided by the fact that even after the malware is uninstalled, certain artifacts are left behind which can help identify an infected (but cleaned) system. For instance, we've seen several cases where the systems were cleaned but the "msrdc64.dat" infection marker was left behind.
So far, victims of Regin were identified in 14 countries:
AlgeriaAfghanistanBelgiumBrazilFijiGermanyIranIndiaIndonesiaKiribatiMalaysiaPakistanRussiaSyriaIn total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.
From the map above, Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual. To put this into context, Kiribati is a small island in the Pacific, with a population around 100,000.
More information about the Regin victims is available through Kaspersky Intelligent Services. Contact: email@example.com
AttributionConsidering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state. While attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin, certain metadata extracted from the samples might still be relevant.
As this information could be easily altered by the developers, it's up to the reader to attempt to interpret this: as an intentional false flag or a non-critical indicator left by the developers.
More information about Regin is available to Kaspersky Intelligent Services' clients. Contact: firstname.lastname@example.org
ConclusionsFor more than a decade, a sophisticated group known as Regin has targeted high-profile entities around the world with an advanced malware platform. As far as we can tell, the operation is still active, although the malware may have been upgraded to more sophisticated versions. The most recent sample we've seen was from a 64-bit infection. This infection was still active in the spring of 2014.
The name Regin is apparently a reversed "In Reg", short for "In Registry", as the malware can store its modules in the registry. This name and detections first appeared in anti-malware products around March 2011.
From some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed.
The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.
Full technical paper with IOCs.
Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin.
If you detect a Regin infection in your network, contact us at: email@example.com
h+ Magazine | Raoul Chiesa Dishes On Regin - h+ Magazine
Tue, 30 Dec 2014 13:24
In this phase it is quite impossible to attribute precisely the development of the Regin malware to a specific category of threat actors.
I have contacted one of the most popular security researcher in the world, Raoul Chiesa, who is President, Head of Information Superiority for MoD Unit at Security Brokers and advisor to several Institutions, including UNICRI, ENISA and member of the board of Directors for ISECOM, CLUSIT, OPSI-AIP.
I asked to Raoul to share with me his view on the Regin case trying to explain whether it is possible to speculate on the involvement of cybercriminal organizations.
Pierluigi: Hi Raoul, you have declared that Regin could be the product of a criminal organization. In your opinion, which are the elements that distinguish the Regin platform from other identified in the past, as Flame or Duqu?
Raoul: As usual happen in these cases, there aren't sufficient elements in this phase to express an objective judgment. In several interviews that I released to the media agencies, I have highlighted that in my humble opinion Regin seems a product of the Organized Crime rather than Intelligence.
Given this, it is important to analyze two aspects of my comment: first, the fact that Regin also implements a credential stealing functionality that allowed attackers to syphon login credentials for social networks, and this can be part of Intelligence information gathering, but also for online banking services. In this second case, the scenario most plausible is obviously the cybercrime.
Second, the reference to the telecommunication companies (mobile operators): I'm conducting penetration tests for 20 years, I'm a member of the TSTF (Telecom Security Task Force) and I have a deep knowledge of the complexity for a mobile infrastructure. I think that it is not possible to automatize an attack against these systems, it could result too complex due to the presence of Network Elements produced by different vendors.
In several cases, when specific industries are targeted, spear phishing is an evergreen attack vector. With a spear phishing attack hackers can compromise a machine inside the targeted infrastructure to move the attack from the workstation usually used an OSS operator. But, again, automate the data exfiltration is really too complicated. Let's think to the billing (CDR, Call Detail Records), which is also the privileged target of an intelligence agency, in complex infrastructure the overall operations are the result of activities executed by software from different vendors and the integration of a large number of complex Database Management Systems.
I read many posts that compared Regin to Stuxnet, well, even if it can seem absurd, a Telco infrastructure is much more complex than systems within an energy plant, consider also that the ''SCADA word'' is still more insecure of the telecommunication industry, despite the number of zero-day specific for Telco equipment is very high.
Analyzing the Regin case it could be very interesting to understand if the targeted mobile operators were using the same technologies for their network infrastructure. This would be a first important factor for a serious assessment.
Pierluigi: The reports published by Symantec and Kaspersky highlights the high level of complexity of the Regin malware, another element very unusual is the attack against the GSM infrastructure. Assuming that there is a criminal organization behind Regin, which are their means and resources? In my experience probably only the RBN (Russian Business Network) was able to support a huge investment in research and resources, like the one behind Regin. Do you think that there is a new similar organization in the wild?
Raoul: Well Pierluigi, I'm currently at the Defcamp where I had the opportunity to speak with my friend and colleague Mika Lauhde at ENISA PSG, and former Global Chief Security Officer at Nokia.Mika told me that some confidential sources from an important Antivirus vendor, revealed that they have discovered traces of Regin in 2003, in 2005, e and after 2005 it disappeared.
This information changes my point of view and let me think that Regin is a probably a product of the Intelligence instead the cybercrime.
Regarding your question, as you correctly said, the RBN was a really complex organization, flexible and with significant financial resources. The security landscapeis completely changed since the alleged disappearance of the RBN, today the Intelligence Agencies have a primary interest in mobile operator data. In this sense, I can agree with those experts that consider Regin as a product of the Intelligence, mobile operators are a privileged target for the Intelligence, today everyone has a mobile phone that collects his data, that has information on his social network and contacts, that traces his position everywhere he goes.
Gain the access to the CDR, to the billing, to the SMS is nearly ''priceless'', butinvestmentare impressing. But, here there is the concretization of my thought, why so huge investments to automate a hacking platform that needs to be tailored every time?
It is more convenient for the attackers use a dedicated team of hackers that operatesmanually in stealth way and that is able to exfiltrate just the data the Intelligence agencies need.Automated attacks are surely more noisily than tailored operations.
Speaking with Mika I had information about other factors that suggests the involvement of a government, but I cannot disclose further data. As I told you the information let me to believe that Regin was designed by an Intelligence agency, probably the US one.
If confirmed the news that the first traces of Regin was dated 2003 and 2005, well, I was not aware of cyber criminal gangs active for so long.
I would like to do other assessments, linked the SO-CALLED ''object of interest'', which is not 'just' data of Telco companies, but also financial. But as I said, to date I cannot say more because I signed an ''NDA from Gentlemen's Agreement''.
Pierluigi: Raoul, it's my opinion that we run the serious risk that an incorrect attribution can trigger a series of diplomatic crisis and hacking campaigns in the cyberspace that can destabilize some balances. I have seen too many experts to express too hasty judgment on Regin. What is your opinion?
Raoul: You are right. When experts express their opinion too hasty, not specifying that they are making hypotheses on the events (as I showed myself with ANSA and other media), is dangerous. I made clear that the Attribution is the greatest difficulty when it comes to date breaches, malware and any other kind of cyber attack.
We let's see what will happen. I do not care to ''be right'' or not, I consider important to avoid spreading wrong alarms and that every scenario, every threat actor and every motivation behind the attack must be carefully analyzed.
The detailed analysis is available on the Infosec Institute