According to further work by Kaspersky and other security researchers, it appears that Regin might be the result of a combined effort from US and UK intelligence agencies. It also seems that Regin has infected numerous GSM base stations — i.e. the cell towers that provide 2G and 3G mobile coverage. Kaspersky says it has identified “a country in the Middle East” where Regin has infected systems at the president’s office, a research center, and a bank — and all of these infected systems are communicating with each other.
I’m sure more information about Regin will bubble to the surface over the next few days, but for now, read on for our original story about the discovery of this highly sophisticated piece of malware.
Original story
In the last decade, cybersecurity warfare has moved from the pages of spy novels to real-world implementations. Worms like Stuxnet have been used to cause damage to Iran’s nuclear centrifuges and delay the country’s development of its own nuclear capacity. Now, Symanetec has released details on Regin — a new, incredibly sophisticated malware program that can deploy dozens or hundreds of separate payloads, allows for targeted, system-specific data gathering, and can be updated post-infection to introduce new payload capabilities.
Regin’s reach is significant; the code has primarily targeted small businesses and private individuals, but 28% of its infections are focused on telecommunication backbones as well. The list of infected countries is somewhat instructive:
Regin countries
The list of infected countries would seem to imply a particular interest and possibly global terrorism. Afghanistan, Iran, and Pakistan are all targets of particular US interest and the 9% share for Ireland is noteworthy given that many corporations have taken advantage of low corporate taxes there to shed global tax burdens and reduce exposure. Mexico’s drug gangs wield considerable FINANCIAL power, while Saudi Arabia has an enormous concentration of oil wealth and a history of offering tacit support to Islamic extremists through its endorsement of Wahhabism.
In short, these are practical targets that a Western nation might take a great deal of interest in, and the degree of sophistication baked into Regin suggests the tool is well-equipped to support a wide range of data gathering.
According to Symantec, only the initial Stage 1 driver is visible as unencrypted code. Everything past that is encrypted, stored within the registry, or even written to the raw sectors at the end of the disc. Symantec hasn’t isolated the infection vector but believes that the driver that loads Regin is one of two names — either usbclass.sys or adpu160.sys. By Stage 3, data is being stored within registry key blobs, and much of the intercepted data is never encrypted or written to disc at all.
Regin design
Regin’s design. Only the first layer is unencrypted code.
Was Regin developed by the US government?
There’s no proof, at this point, that Regin was developed by the United States, but given the program’s capabilities it’d be stunning if the US government had no hand in it whatsoever. Just as Stuxnet was a collaborative effort between multiple nations (Israel, the US, Jordan, France, and even China have been proposed as partners), Regin was likely the work of multiple teams. At the very least, it targets nations the US is interested in monitoring with capabilities the US would want to possess.
One key feature of the malware is the degree to which various functions can be sandboxed. The Symantec team has discovered precise payload capabilities that allow the malware’s function to be fine-tuned for very specific information. While it can be deployed in a “Hoover everything” approach, it doesn’t have to be.
The restrictions baked into Regin suggest (though they do not prove) that the malware has been designed to function effectively in cases where a judge has signed off on very specific forms of information gathering. While the data-gathering specifics of national intelligence agencies have been generally shielded from public eyes, it’s easy to imagine the NSA arguing that such targeted capabilities gave it the ability to avoid broad infringement of a target’s civil liberties behind closed doors.
Symantec hasn’t published any information on who it thinks is behind the malware yet, so speculation is all we have. The program has already gone through two iterations, with version 1.0 debuting from 2008 to 2011 and version 2.0 breaking cover in 2013. These disclosures could lead to the release of a version 3.0, that patches up the flaws and discovery mechanisms Symantec used to detect the first two versions — or could signal the need to develop a new, more obfuscated program to accomplish similar results.
TAGS:NASA,Malware,Stuxne,tEspionage,Cyber,security,Regin.
No comments:
Post a Comment