Backdoor trojan ('Regin') discovered stalking high-profile targets

  • 23 November 2014
  • 19 replies
  • 2095 views

Userlevel 7
Badge +54
Nov 24, 2014 8:24
 

Compared to Duqu and Stuxnet.

 Researchers have unearthed an advanced malicious software application used to spy on private companies, governments, research institutes and individuals in ten countries.
The researchers at Norton antivirus maker Symantec said they had discovered an unidentified "nation state" was likely the developer of the malware called Regin, or Backdoor.Regin, and that it had been active since 2008. 
Symantec said Regin's design "makes it highly suited for persistent, long-term surveillance operations against targets," and said it was withdrawn in 2011 but resurfaced in 2013.
 
 
http://i.nextmedia.com.au/Utils/ImageResizer.ashx?n=http%3a%2f%2fi.nextmedia.com.au%2fNews%2fbackdoor.regin-architecture.png&w=460&c=0Backdoor.regin architecture. Source: Symantec 
Full Article

19 replies

Userlevel 7
Badge +3
Thanks Jasper. I found it remarkable that Ireland showed such a high proportion of the infections for the country's size...very strange?
 
 
Userlevel 7
@ wrote:
Thanks Jasper. I found it remarkable that Ireland showed such a high proportion of the infections for the country's size...very strange?
 
 
 

I was thinking the same thing. Russian Federation, Packistan, Ireland. Which one of these three does not belong!
Userlevel 7
Badge +54

'A degree of technical competence rarely seen'

By Darren Pauli, 24 Nov 2014  Excerpt. "Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers, and private individuals.
"It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state."
http://regmedia.co.uk/2014/11/24/ss_regin.png 
 Full Article
Userlevel 7
By Mark Wilson
 
http://betanews.com/wp-content/uploads/2014/11/regin.jpg
Security firm Symantec has released details of an advanced cyberespionage it has discovered. Called Regin, the backdoor Trojan is described as having a structure that "displays a degree of technical competence rarely seen". Symantec goes as far as saying that the levels of resources required to create such a highly advanced tool indicate that it was created by a nation state -- although there is no suggestion about who it might be.
The report says that Regin has already been used in mass surveillance programs not by butagainst government organizations. Symantec estimates that the tool may have been years in development, as it delivers multi-stage attacks, and great lengths are taken to hide each stage. The framework was designed to facilitate long-term surveillance, and the concealment techniques used make Regin difficult to fully understand.
 
 
full article
Userlevel 7
By Jeremy Kirk
 
Malware that Symantec says was probably developed by a nation state may have been used for as long as eight years, a length of time that underscores the challenges the security industry faces in detecting advanced spying tools
 
 
On Sunday, the computer security company published a 22-page report andblog post on the Regin malware, which it described as a powerful cyberespionage platform that can be customized depending on what type of data is sought.
It was predominantly targeted at telecoms companies, small businesses and private individuals, with different modules customized for stealing particular kinds of information. Symantec found about 100 entities infected with Regin in 10 countries, mostly in Russia and Saudi Arabia, but also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan.
 
 
full article
Userlevel 7
Badge +54
by Michael Mimoso    November 24, 2014 , 10:09 am

Researchers have uncovered a complex espionage platform reminiscent of Duqu that has been used since at least 2008 not only to spy on and extract email and documents from government agencies, research institutions and banks, but also one that targets GSM network operators in order to launch additional attacks.

Kaspersky Lab published a report this morning that explains this aspect of the Regin attack platform, which has been detected on the Windows computers of 27 victimized organizations in 14 countries, most of those in Asia and the Middle East. In addition to political targets, Kaspersky Lab researchers identified Belgian cryptographer Jean Jacques Quisquater as one of its specific victims, along with an unnamed research institution that was also infected with other dangerous espionage malware including Mask/Careto, Turla, Itaduke and Animal Farm.
 
Initial infection vectors are unknown, but Kaspersky Lab speculates that in a few instances, the attackers used a browser zero-day exploit in order to sit in a man-in-the-middle position and siphon traffic from a victim.
 
Full Article
Userlevel 7
Badge +3
 
   NSA, GCHQ or both behind Stuxnet-like Regin malware? - SC Magazine UK
 
 "Symantec has discovered a new piece of customisable malware - reminiscent of the Stuxnet worm - which has been stealing data from governments, telcos, energy companies and SMEs since 2008. And experts say the threat actor could be the US or UK government."
Userlevel 7
Badge +54
Snowden seems to crop up a lot these days which makes me wonder if they are  all down to him.
 
Summary: Two governments working together are said to have developed the state-sponsored malware that attacked the European Union. Guess what? One of the makers was an EU country.
 
By Zack Whittaker for Zero Day | November 24, 2014
 
Blame the British and American spy agencies for the latest state-sponsored malware attack, say reporters at The Intercept.
 
The publication, which in the wake of Glenn Greenwald's departure from The Guardian continued to publish documents leaked by Edward Snowden, said on Monday the recently discovered malware, known as Regin, was used against targets in the European Union.
One of those targets included Belgian telecommunications company Belgacom, which had its networks broken into by the British spy agency the Government Communications Headquarters (GCHQ).
Regin was first publicly talked about over the weekend after Symantec discovered the "sophisticated" malware, though is understood to have been in circulation since 2008.
Compared to Stuxnet, the state-sponsored malware whose creators have never been confirmed, the recently-discovered trojan steals data from machines and networks it infects, disguised as Microsoft software. 
 
Full Article
Userlevel 7
This is really making quite a buzz.  To be quite honest, CNN tends to be really quite slow in reporting things: rather often I have read it here up to 2 weeks before CNN gets a story published.
 
This one is different:  CNN Article  It does NOT appear that this one is really a big concern to the average consumer though in terms of being a risk to credit card theft/fraud.
 
"Experts don't know where it came from, and aren't quite sure what it does.
 
"But they do know this: a newly-uncovered cybersecurity threat wasn't your typical credit-card stealing operation. It appears to be a government spying tool, and is "groundbreaking and almost peerless.
 
"Regin, as they've dubbed it, is malware that has been lurking in computers around the world for as long as six years, according to Symantec, the cybersecurity firm that produces Norton Antivirus.
 
"The malware was installed on the computers of companies around the world, but it wasn't searching for business secrets. When a target was selected it searched airline computers to find out where the target was traveling. It scoured hotel computers to find his room number. And it tapped telecommunication computers to see who he was talking to.
"They were trying to gain intelligence, not intellectual property," said Symantec analyst Vikram Thakur."
Userlevel 5
Badge +1
Ireland is the European HQ of quite a few US companies due to their low corporate taxes, skilled / educated workforce and English as the main language. For example Apple have been in Ireland since the 1980's and currently have about 4000 employees. I recall that IBM and Dell were also there, not sure if they are now.

Attacking businesses such as this could give them an insight into what the main office is doing, even gain them a backdoor to the main office in the US, without hacking the US directly.

Why wouldn't they try and hack the US directly? My guess that the perpetrators are probably a "special friend" of the US and would not want to upset them too much; that narrows it down to 2 probable countries in my opinion: Israel or UK.

Since the US is not an apparent target, it could of course be the US that created this malware.
Userlevel 7
Badge +54
Quite an interesting take on the Regin puzzle.
 
By Graeme Burton  25 Nov 2014
 
EXCERPT.
 
The question is, if Symantec was aware of this particularly sophisticated piece of malware at least back in 2011 - possibly before - why has it stayed silent until now? Indeed, why did it choose this last weekend to write-up what it knew, given that the first appearance of the malware has been dated to 2008?
There could be any number of perfectly legitimate reasons for this. Indeed, Computing has some outstanding questions with a number of security software vendors right now, awaiting an official response.
However, among a global public that has grown cynical by the brass-necked extent of state-led surveillance, and the ever-more 1984-style excuses for extending this surveillance still further, the security software industry owes people a thorough and comprehensive explanation - who do they serve, their customers or governments?
 
Full Article
 
 
Userlevel 7
Badge +3
@ wrote:
Ireland is the European HQ of quite a few US companies due to their low corporate taxes, skilled / educated workforce and English as the main language. For example Apple have been in Ireland since the 1980's and currently have about 4000 employees. I recall that IBM and Dell were also there, not sure if they are now.

Attacking businesses such as this could give them an insight into what the main office is doing, even gain them a backdoor to the main office in the US, without hacking the US directly.

Why wouldn't they try and hack the US directly? My guess that the perpetrators are probably a "special friend" of the US and would not want to upset them too much; that narrows it down to 2 probable countries in my opinion: Israel or UK.

Since the US is not an apparent target, it could of course be the US that created this malware.
I agree, and have thought the same. Facebook's Euro HQ in Dublin comes to mind.
 
Userlevel 7
Kelly Jackson Higgins  Posted on 11/24/2014
 
"Regin" cyber spying platform is reportedly behind cyber spying against a Belgian telecommunications provider, which was revealed in leaked NSA documents.
 First there was Stuxnet and Flame, and now there's an even more sophisticated, stealthy, and powerful cyber espionage attack called Regin that dates back as far as 2003 and has been found infecting machines in more than a dozen countries.
Symantec and Kaspersky Lab have each published their separate findings on Regin, a modular malware platform that has targeted Windows machines in telecommunications operators, governments, financial institutions, researchers, governments, small businesses, and individuals associated with cryptography research.
The attackers behind Regin most likely involve a nation-state, given the resources and investment required to design it and the persistent, long-term surveillance operations it appears to support. The code appears to be written in English, according to Symantec, which first went public with its research yesterday. Researchers say they probably have only scratched the surface of Regin, and there likely are other variants and features yet to be discovered
 
full article
Userlevel 7
By AFP on November 25, 2014
 
A sophisticated cybersespionage tool has been stealing information from governments and businesses since 2008, researchers said Monday, and one report linked it to US and British intelligence.
The security firm Symantec identified the malware, known as Regin, and said it was used "in systematic spying campaigns against a range of international targets," including governments, businesses, researchers and private individuals.
The news website The Intercept reported later Monday that the malware appeared to be linked to US and British intelligence, and that it was used in attacks on EU government networks and Belgium's telecom network.
The report, citing industry sources and a technical analysis of the malware, said Regin appears to be referenced in documents leaked by former National Security Agency contractor Edward Snowden about broad surveillance programs.
Asked about the report, an NSA spokeswoman said: "We are not going to comment on speculation." 
Symantec's report said the malware shares some characteristics with the Stuxnet worm-- a tool believed to have been used by the US and Israeli governments to attack computer networks involved in Iran's nuclear program.
Because of its complexity, the Symantec researchers said in a blog post that the malware "would have required a significant investment of time and resources, indicating that a nation state is responsible."
The researchers added that "it is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks.
 
 
full article
Userlevel 7
Badge +54
At last a reaonably detailed account of it.
 
by Pierluigi Paganini on November 25th, 2014
 
EXCERPT.
 
"The experts reported that in April 2008, the threat actors gained access to administrative credentials that would allow them to manipulate a GSM network in a Middle Eastern country. The case reported in the paper represents a case study for the experts which noted a very insidious implementation of the control infrastructure.
“In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president’s office, a research center,educational institution network and a bank. These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India. This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president’s office are sent through the bank’s network, then all the malicious traffic visible for the president’s office sysadmins will be only with the bank, in the same country.”"
http://securityaffairs.co/wordpress/wp-content/uploads/2014/11/Regin-graph-one-1024x640.png
 
Full Article
Userlevel 7
Badge +3
 "After Symantec published its report on the Regin super-spyware, there were many questions raised. Who coded it? What can it do? And – above all – why did it take so long for security vendors to notice it?"
 
 Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds... • The Register
Userlevel 7
By John P. Mello Jr.
11/25/14 11:01 AM PT

 
Asophisticated malware program called "Regin" has been used in systematic spying campaigns against a range of international targets since at least 2008, Symantec reported on Sunday.
Regin is a backdoor-type Trojan with a structure that displays a degree of technical competence rarely seen in malware, according to Symantec.
"Its elegance is comparable to Stuxnet and [it is] much more elegant than Flame," said Scott Borg, CEO and chief economist with the U.S. Cyber Consequences Unit.
"It's a beautiful piece of architecture," he told TechNewsWorld.
Stuxnet, which was used to attack Iran's nuclear development program, and Flame, which was used to spy on computers in Iran and elsewhere, are widely believed to have been created by the United states and Israel because of their sophistication.
Regin "has a level of sophistication that we never see in cybercriminal types of malware," Richard Stiennon, chief research analyst with IT Harvest, told TechNewsWorld.
 
full article
Userlevel 7
Badge +3
 
So, if the suspicion that a state-sponsored actor is responsible for Regin is correct, who was it?
The truth is, I don’t know. Attribution of attacks is always tremendously difficult. But let me put it this way – I wouldn’t be at all surprised if the UK’s GCHQ and/or the NSA were involved.
And I’m not in anyway dissuaded as more clues come to light, such as those included in this tweet from Costin Raiu, a security researcher at Kaspersky Lab:
#Regin internal module codenames: LEGSPINv2.6, WILLISCHECKv2.0, HOPSCOTCH.
— Costin Raiu (@craiu) November 24, 2014
 
  http://grahamcluley.com/2014/11/write-regin-malware/
 
Userlevel 7
Badge +54
Here is the industry's take on the Malware and its origins, some interesting suggestions as well.
 
By Eduard Kovacs on November 28, 2014
 
The existence of a sophisticated cyber espionage tool that has been used in numerous operations aimed at businesses and governments from all over the world was brought to light this week.
http://www.securityweek.com/sites/default/files/features/Feedback_Friday_Feature.png
Dubbed “Regin,” the Trojan has been used since 2008 in attacks against private individuals and small businesses, and sectors such as telecoms, hospitality, energy, aviation, and research. The largest number of infections has been spotted in Russia (28%) and Saudi Arabia (24%), Symantec said in a report.
Researchers at Kaspersky have also analyzed the threat, which is said to be as sophisticated as Stuxnet, and found that it has also been used to target GSM networks.
The Intercept reported that Regin is linked to US and British intelligence agencies. The malware has been referenced in the documents leaked by Edward Snowden and it's said to have been utilized in attacks against European Union government agencies and the Belgian telecoms company Belgacom.
And the Feedback Begins... 
 
Full Article

Reply