Virus Type: Malware / Advanced Persistent Threat (APT)
Regin is a cyber-attack platform capable of monitoring GSM networks in addition to other “standard” spying tasks.
In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels. With a platform that is extremely modular in nature, it has multiple stages to accomplish various parts of the attack.
The malware can collect keylogs, make screenshots, steal any file from the system, extract emails from MS Exchange servers and any data from network traffic.
Also the attackers can compromise GSM Base Station Controllers, which are computers controlling the GSM infrastructure. This allows them to control GSM networks and launch other types of attacks, including the interception of calls and SMSes.
It is one of the most sophisticated attacks we’ve ever observed. From some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed. The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations.
The victims of Regin fall into the following categories:
So far, we've observed two main objectives from the attackers:
So far, victims of Regin were identified in 14 countries:
In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.
Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state.
Attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin.
Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin.
Yes, IOC information has been included in our detailed technical research paper.