Newly Revealed Cyber Espionage Attack More Complex Than Stuxnet, Flame

Regin cyber spying platform is reportedly behind cyber spying against a Belgian telecommunications provider, which was revealed in leaked NSA documents.

First there was Stuxnet and Flame, and now theres an even more sophisticated, stealthy, and powerful cyber espionage attack called Regin that dates back as far as 2003 and has been found infecting machines in more than a dozen countries.
Symantec and Kaspersky Lab have each published their separate findings on Regin, a modular malware platform that has targeted Windows machines in telecommunications operators, governments, financial institutions, researchers, governments, small businesses, and individuals associated with cryptography research.
The attackers behind Regin most likely involve a nation-state, given the resources and investment required to design it and the persistent, long-term surveillance operations it appears to support. The code appears to be written in English, according to Symantec, which first went public with
its research yesterday
. Researchers say they probably have only scratched the surface of Regin, and there likely are other variants and features yet to be discovered.
Regins targets so far have been found located in the Russian Federation -- 28% of the victims -- and Saudi Arabia, with 24% of the victims, according to Symantec. Users in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria, Pakistan, Algeria, Brazil, Fiji, Germany, Indonesia, Malaysia, Kiribati, and Syria also were found infected with the malware, Symantec and
Kasperskys research
shows.
Conspicuously missing as victims of Regin are residents of the US as well as many Western European countries including the UK, but neither Symantec nor Kaspersky would confirm who might be behind Regin. F-Secure
today said
it does not originate from Russia or China. Meanwhile,
a report by The Intercept
today attributes the attack to the UK, specifically in the case of attacks on Belgian ISP and telecommunications firm Belgacom as part of the UKs Government Communications Headquarters surveillance program, which came to light in NSA documents leaked by Edward Snowden.
There is information and a certain level of indication that show Regin was possibly used by GCHQ in some attacks... However, these are just partially confirmed. And still, it is an interesting question if GCHQ or the UK developed these tools alone, or these attacks were part of a collaboration between countries [such as] the US, UK, and others, for what we saw in many leaked materials from Snowden, says Boldizsar Bencsath of the Laboratory of Cryptography and Systems Security at the Budapest University of Technology and Economics.
One of Regins more powerful modules allows the malware to monitor GSM base station controllers. Kaspersky Lab found that in April 2008, the attackers behind Regin captured administrative login credentials that would let them manipulate a GSM network in a Middle Eastern country, the name of which the researchers would not disclose. With access to the base controllers, the attackers could redirect calls or shut down the mobile network, the researchers say.
Regin is definitively in a category of its own. Its definitively more complex than Stuxnet and Flame when it comes to the design of the platform, functionality, or flexibility, says Costin Raiu, director of the global research and analysis team at Kaspersky Lab.
Raiu says Regin is also more compact: While a fully deployed Flame infection came in at 20 megabytes, Regin is about 8 megabytes, including its virtual file system, in size and packs the same punch as Flame, or more. Id say Regin is probably older than Stuxnet and Flame and more sophisticated, he says.
Victims victimizing victims
Regin includes various tools, and comes with an intricate and highly stealthy communications technique to control the infected networks that involves the victim organizations communicating via a peer-to-peer network. Kaspersky Lab spotted victims in a Middle East country doing just that: This case was mind-blowing, so we thought its important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the presidents office, a research center, educational institution network and a bank, according to the Kaspersky report.
The infected machines communicate via HTTP and Windows network connections as a way for the attackers to burrow deep into their target networks, bypass air gaps, and minimize traffic to the command and control server so as to remain under the radar.
In this case, one of the victims had what Kaspersky calls a translation drone that communicated with a C&C outside its home country, in India.
Kaspersky spotted 27 different victims, and Symantec found 1,000 infected machines from around the globe, but both companies say this only scratches the surface of the potential victims.
Regin is basically a platform with multiple modules that could wrest control of their targets network -- and seize full remote control at all possible levels, Kasperskys report says.
Modular platforms have been spotted before such as Flame and The Mask/Weevel, but the multi-stage loading technique used by Regin is reminiscent of the Duqu/Stuxnet family, according to Symantec.
6 stages of Regin
There are six stages: The first driver is the only visible piece of the attack on the infected machine -- the next five stages of the attack are encrypted.
The initial stages involve the installation and configuration of the threat’s internal services. The later stages bring Regins main payloads into play, Symantecs report says. The most interesting stages are the executables and data files stored in Stages 4 and 5. The initial Stage 1 driver is the only plainly visible code on the computer. All other stages are stored as encrypted data blobs, as a file or within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of disk.
Even so, researchers are still not yet sure just how Regin infects the machines initially. There have been no confirmations of particular zero-day exploits or other methods. Most likely, the attackers use a range of initial attack vectors. Regin has at least a dozen different exfiltration options.
We dont know how it gets onto the machines... It could be a driveby, a link or executable sent in email. That particular piece was not found, but our guess is the dropper at Stage 0 is probably never resident on the machine, says Kevin Haley, director of security response at Symantec.
Haley says Regin appears to be a rare comprehensive cyber espionage malware platform. The fact that we havent found other ones means its rare, he says.
Meanwhile, not everyone agrees that Regin is all that stealthy. Ken Westin, a security analyst with Tripwire, says Regins file changes and registry key changes could be detected by any organization monitoring for host configuration changes.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Newly Revealed Cyber Espionage Attack More Complex Than Stuxnet, Flame