Regin Espionage Malware: 8 Key Issues

Questions Arise Over Attribution, Disclosure Timing
Regin Espionage Malware: 8 Key Issues

Less than 48 hours after warnings first surfaced about powerful espionage malware called "Regin" - also known as "Regis" - debate continues to rage over who's been running the related attack campaigns, for what purpose, and if anti-virus vendors should have sounded related alerts more quickly (see Espionage Malware Alert Sounded).

See Also: Protecting Your Assets Across Applications, Services and Tiers

Symantec was the first information security vendor to release a Regin report, on Nov. 23; anti-virus firms F-Secure and then Kaspersky Lab quickly followed suit. The timing of those disclosures has led some information security experts to question why warnings weren't sounded earlier. F-Secure says it first found the malware 2009, and that it appears to date from at least 2008, although Kaspersky says it may be a decade old.

Such questions have been compounded following press reports that the malware was recovered from Belgian telecommunications firm Belgacom, after it was allegedly hacked by the U.S. National Security Agency and the U.K.'s GCHQ intelligence agency.

In the wake of those questions, here is what is known - and not yet known - about Regin:

1. Very Sophisticated Malware

Regin is an advanced persistent threat that loads its attack modules into a PC's registry - its name is a reversal of "in [the] registry" - via a six-stage attack, multiple security experts say. Kaspersky says it's one of the most advanced pieces of malware it's ever seen. But the malware is scarce: So far, Symantec says it has seen fewer than 100 related infections, and that the vast majority have been on systems in Russia and Saudi Arabia.

Once the malware gets installed on a system, meanwhile, attackers can push a variety of modules to the PC that give them specific capabilities, including remote access to the system - as a banking Trojan might do - as well as keystroke logging, capturing screenshots, sniffing traffic and even monitoring the system if it's a GSM network base station.

2. APT Evaded Detection

But the reason Regin is only gaining attention now, F-Secure security advisor Sean Sullivan says, has to do with its "excellent OPSEC," referring to military jargon for "operational security."

"Regin is a true APT [with] very advanced design and it has been used sparingly," he tells Information Security Media Group. "It is rare. It is a platform - and we've only seen parts of it. We have detected various components since 2009. But detecting a rootkit component doesn't mean you've discovered a new 'family' or that you can describe the full platform that utilizes the rootkit."

Sullivan says F-Secure began to realize in 2013 that Regin might be a serious threat. "By [that] time we had multiple components - there may be multiple customers involved - ours and those of other vendors with whom we work," Sullivan says. That lead F-Secure to revise its assessment, for example, of a 2009 sample of the malware that was posted to Virus Total. But he says F-Secure didn't write up its research until Nov. 23, 2014, prompted by Symantec releasing its report.

3. Disclosure Question Is Difficult

Sullivan says there may also be good reasons to not immediately disclose - at least publicly - in-depth details about malware such as Regin, including contractual agreements with customers. "The samples were submitted to us confidentially. Detection was added for all of our customers - always is," he says. "But publication of technical analysis is limited by our customer's privacy concerns. And as I've mentioned, discovering a rootkit component doesn't necessarily mean you have anything interesting to write about anyway."

In addition, publicizing the threat can make it harder to defend against follow-on attacks. "You need to carefully weigh whether publicity is in everybody's best interest," Sullivan says. "Once we - or others - publicize the threat, the attacker will change tactics, nullifying existing defenses."

4. Whitelisting Questions

In the wake of the Regin reports, some pundits have questioned whether the timing reveals that anti-virus firms had been legally compelled to "whitelist" the malware and not build anti-Regin signatures for their anti-virus engines. "That's stupid - at least for our part," Sullivan says.

While Kaspersky and Symantec didn't immediately respond to related requests for comment, they've previously denied whitelisting government malware. Multiple information security experts also said it would likely be impossible for any government to legally, and reliably, compel vendors from so many different countries - including Finland, Russia and the United States - to ignore any particular piece of malware. Instead, many said the best option would be to create a tool that was so well designed that it simply wouldn't be found.

5. Suspected Victims: Belgacom, European Parliament

It's not yet clear who launched Regin, or why, although "considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state," Kaspersky says.

But numerous security experts have said that the United States and United Kingdom, perhaps working together, should appear on any shortlist of potential sponsors. It's notable, for example, that no significant number of infections have been reported affecting systems in either of those countries, or in Australia, Canada and New Zealand, which are all involved in the Five Eyes spying program.

Furthermore, The Intercept reports that Regin was recovered from hacks of the Belgian telecommunications firm Belgacom, as well as from the hack of the European Parliament. According to information leaked by former NSA contractor Edward Snowden, those attacks were launched by the NSA and GCHQ.

Some reports have also tied Regin to the hack of Belgian cryptography expert Jean-Jacques Quisquater, which the Belgian government is reportedly investigating.

6. Cautions About Attribution

Ronald Prins, a security expert at Fox IT who was hired to investigate the Regin outbreak at Belgacom, has blamed U.S. and U.K. intelligence agencies for that attack. "Having analyzed this malware and looked at the [previously published] Snowden documents," Prins tells The Intercept, "I'm convinced Regin is used by British and American intelligence services."

But multiple information security experts have accused Prins of jumping to conclusions, based on incomplete evidence. "I think it's a case of 2+2=5 in this case," says Alan Woodward, a visiting professor at the department of computing at England's University of Surrey. "They seem to be basing that on who was targeted. It is highly speculative."

"As always speculation is easy, actual attribution is hard," says Dublin-based information security consultant Brian Honan.

7. Beware False Flags

Indeed, one caveat with attribution is that attackers may leave "false flags" to make it look like someone else is responsible. Kaspersky cites that potential, for example, when displaying a list of Regin samples' development timestamps, which largely fall between 8 a.m. and 3 p.m. Eastern Time. "As this information could be easily altered by the developers, it's up to the reader to attempt to interpret this - as an intentional false flag or a non-critical indicator left by the developers," Kaspersky says.

The same goes for the names of some Regin internal modules, including "LEGSPINv2.6," "WILLISCHECKv2.0," and "HOPSCOTCH," notes Costin Raiu, a senior security researcher at Kaspersky Lab.

"'Leg spin' is a cricket term. In case you want to speculate whether NSA or GCHQ is behind #Regin," tweets security researcher Martijn Grooten, who edits Virus Bulletin. Likewise, Willis may well refer to the famous U.K. cricket player, turned commentator, named Bob Willis.

8. Not At Risk: Most People

Despite unanswered questions over who launched Regin - and why - many security experts have emphasized that the malicious code poses scant risk to the vast majority of Internet users. "Remember, for the majority of companies out there, Conficker poses a bigger threat to you than Regin," says Honan, who heads Ireland's computer emergency response team, referring to the notorious Conficker - a.k.a. Downadup - banking malware, which first surfaced in 2008. Indeed, a study released by F-Secure in September reported that Conficker remains the world's most dangerous malware, in large part because it continues to target Windows XP, for which Microsoft no longer issues security patches.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network