Home / Security / Super-Spyware Regin malware detected in Telekom Malaysia network

Super-Spyware Regin malware detected in Telekom Malaysia network

Kaspersky Lab’s Global Research and Analysis Team has published its research on Regin, pronounced “region” – the first cyber-attack platform known to target Telcos with GSM standard mobile networks for surveillance.

The attackers behind this platform have compromised computer networks in at least 14 countries around the world.

5 stages of Regin Malware infection: Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages.  Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.

Five stages of Regin Malware infection: Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.

Kaspersky’s report on Regin shows it has the ability to infiltrate GSM phone networks. The malware can receive commands over a cell network, which is unusual.

According to an activity log obtained by Kaspersky Lab researchers during the investigation, attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator. This means that they could have had access to information about which calls are processed by a particular cell, redirect these calls to other cells, activate neighbor cells and perform other offensive activities. At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations. Regin was used to execute commands on 136 different GSM cells between April 2007 and May 2008, according to the log file Kaspersky found.

Currently, there are no reports on whether the Regin malware is able to penetrate 3G & 4G LTE networks as well.

Quick facts about the Regin malware according to Kaspersky Lab:

  • The main victims of this actor are: telecom operators, governments, financial institutions, research organizations, multinational political bodies and individuals involved in advanced mathematical/cryptographical research.
  • Victims of this actor have been found in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Syria and Russia.
  • The Regin platform consists of multiple malicious tools capable of compromising the entire network of an attacked organization The Regin platform uses an incredibly complex communication method between infected networks and command and control servers, allowing remote control and data transmission by stealth.
  • One particular Regin module is capable of monitoring GSM base station controllers, collecting data about  GSM cells and the network infrastructure.
  • Over the course of a single month in April 2008 the attackers collected administrative credentials that would allow them to manipulate a GSM network in a Middle Eastern country.
  • Some of the earliest samples of Regin appear to have been created as early as 2003.

Kaspersky Lab detected the malware in Malaysia and a reliable source indicate that there was only a single victim- Telekom Malaysia (TM does not operate a GSM network). According to an anonymous source from Kaspersky Lab that MalaysianWireless communicated via email, the Regin malware was detected within Telekom Malaysia’s network in August 2014. The research team was unable to determine if customer’s PC or the operator itself was infected however said that the threat was detected in an offline system, such as on a disk. No further details were provided as the investigations were ongoing.

MalaysianWireless was unable to request Telekom Malaysian for a comment as all attempts to contact the Group’s Corporate Communication team were ignored.

As for the other Telcos in Malaysia, sources told MalaysianWireless that Maxis & Celcom are aware of the Regin malware and is taking all necessary actions to keep the mobile network secure.

Despite online security companies have been aware of the Regin malware since 2003-2008, it was only revealed in a detailed report last week. First detailed by security and antivirus vendor Symantec, Regin is described by US-CERT as being able to “take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilisation”.

The highly customizable nature of Regin, which Symantec labeled a “top-tier espionage tool,” allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the point-and-click functions of a mouse, and capturing screenshots from infected PCs. Other infections were identified monitoring network traffic and analyzing email from Exchange databases. It looks to be one of the most advanced pieces of super-spyware code yet found.

Symantec found that almost half of all infections targeted private individuals and small businesses (48%), followed by telecom companies (28%), hospitality (9%) and others.

In terms of geography, Russian Federation accounted for 28 per cent of the infections, Saudi Arabia (24%), Mexico and Ireland (9% each), India, Afghanistan and Pakistan (5 % each).

US-CERT is recommending users and administrators implement and maintain antivirus software, and also keep their operating systems and application software up to date.

[Link]- Kaspersky Lab’s report on Regin Malware- GSM Networks

[Link]– Symantec’s report on Regin

About Kugan

Kugan is the founder of MalaysianWireless. He has been observing the mobile industry since 2003. Connect with him on Twitter: @scamboy