Regin Is ‘Groundbreaking’ Malware Used by UK Spooks

One of the most sophisticated pieces of malware ever seen has been discovered by researchers. Dubbed Regin, the tool has reportedly been spying on telecoms companies, governments, businesses, and individuals for at least the past six years, and appears to have been used by the UK's intelligence services.

Security company Symantec announced the existence of Regin yesterday, and the researchers say it is a "​groundbreaking and almost peerless" piece of malware "whose structure displays a degree of technical competence rarely seen."

The architecture is the hallmark of Regin: each stage of the malware is stored surreptitiously in the section that precedes it. These unload bit by bit, with five stages in total, culminating in an attacker being able to monitor nearly everything carried out on a target device.

In this regard, Symantec compared Regin to the infamous Stuxnet malware, which also had a multi-stage approach. Costin Raiu, director of the Global Research and Analysis Team at security firm Kaspersky Lab agreed with the comparison. "It's a very good analogy," he told me, but also pointed out some of the key differences. Kaspersky had also been working on researching the Regin malware, according to a blog post published after Symantec's white paper, and provided some additional insights.

Stuxnet was designed to infiltrate and ultimately tamper with the Iranian nuclear programme. For this, it was given the power to self-replicate, move from one computer to another, and infect USB sticks, which would then be carried into the facility. From here, Stuxnet would attempt to override the centrifuges crucial to Iran's nuclear enrichment plants.

Regin doesn't do any of these things. It works as quietly as possible, granting attackers access to computer systems so they can monitor, not break them. "The main focus of Regin would be surveillance, while Stuxnet was designed for sabotage," Raiu said.

As for what it can do once inside a system, Regin can spy on network traffic; steal data through a variety of ways; pinch peoples' computer passwords; recover some deleted files; and take screenshots, amongst other things. According to the Symantec white paper, these capabilities would likely be mixed and matched depending on the target Regin is being fired at.

There's one ability in particular that separates Regin from other pieces of malware though: its power to monitor GSM base station traffic, and specific targeting of GSM base stations. GSM, or Global System for Mobile Communications, is the set of standard protocols used by mobile phones, and a base station is essentially a powerful computer that handles multiple phone cell towers simultaneously.

"So getting access to this computer," Raiu explained, "gives the attackers the ability to control the cell towers." From there, Raiu said it was possible to facilitate other types of attacks against mobile phones, and intercept calls or text messages.

With the capability to sniff base station administration traffic, it appears Regin's attackers have a special interest in telecommunications. That is also reflected in who has actually been targeted by the malware. According to Symantec, 28 percent of the Regin samples they analysed were directed at telecoms companies, with the attacks "designed to gain access to calls being routed through their infrastructure." A separate investigation carried out by Kapersky found that Regin had been used to attack a GSM network in a Middle Eastern country in 2008.

Because of its adaptable nature, Regin has also been used against energy companies, airlines, researchers, and the hospitality industry. The most popular target, however, were private individuals or small businesses, making up 47 percent.

Most of the targets have been situated in Russia and Saudi Arabia, according to Symantec's analysis, although samples were also found as far afield as Mexico, India, Ireland, and Afghanistan.

One of the individuals affected, according to Raiu, is Jean-Jacque Quisquater, a Belgian cryptographer. In 2013, it was revealed that Quisquater, who works for Belgium's state-owned telecom Belgacom, was hacked by GCHQ, the UK's version of the National Security Agency, according to the Snowden documents. It wasn't known the method used in the hack.

But revealed now, according to sources who spoke to The Intercept, Regin was discovered during an internal investigation into the GCHQ hacking attempt on the Belgian company.

"Having analyzed this malware and looked at the [previously published] Snowden documents, I'm convinced Regin is used by British and American intelligence services," Ronald Prins, a security expert who was hired to conduct the investigation, told TheIntercept.

Like Symantec, Raiu didn't want to speculate who was behind the malware. However, there are certain artifacts that may add more weight to the claim that GCHQ is involved. Some of the internal codenames of Regin's modules include LEGSPINv2.6, WILLISCHECKv2.0 and HOPSCOTCH. "Leg spin" is a cricket tactic, and Willis was a famous cricket player, with the Willis Check one of this famous moves, according to Raiu.

Timestamps left on Regin samples could also give a clue as to where the developers might be located, according to Kaspersky's research. "For about 100 different Regin modules," Raiu said, "[the timestamps] seem to indicate that the attackers are working between 10 AM and 9 PM GMT." But remember, that is only "if we are to trust these timestamps," Raiu added, "in case they haven't been faked."

As for what the existence of Regin means, Raiu thinks it highlights just how little we really know about the world of high-end, government malware. "There are signs that it has been around since 2006, maybe as early as 2003. In my opinion, what this means is that there are a lot of icebergs, or hidden gems out there, that very few people know about."