Is it possible to attribute the backdoor Regin to the cybercrime?

Pierluigi Paganini December 01, 2014

The popular cyber security expert Raoul Chiesa commented the hypothesis that backdoor Regin is a product of organized cybercrime.

Excerpt from a detailed analysis published on the Infosec Institute

In this phase it is quite impossible to attribute precisely the development of the Regin malware to a specific category of threat actors. Until now we have discussed about a possible involvement of a government in its design, but there are also cyber security experts that haven’t excluded other hypotheses.

I have contacted one of the most popular security researcher in the world, Raoul Chiesa, which is President, Head of Information Superiority for MoD Unit at Security Brokers and advisor to several Institutions, including UNICRI, ENISA and member of the board of Directors for ISECOM, CLUSIT, OPSI-AIP.

I asked to Raoul to share with me his vision on the Regin case trying to explain how it is possible to speculate on the involvement of cybercriminal organizations.

chiesa on Regin

Pierluigi: Hi Raoul, you have declared that Regin could be the product of a criminal organization. In your opinion, which are the elements that distinguish the Regin platform from other identified in the past, as Flame or Duqu?

Raoul: As usual happen in these cases, there aren’t sufficient elements in this phase to express an objective judgment. In several interviews that I released to the media agencies, I have highlighted that in my humble opinion Regin seems a product of the Organized Crime rather than Intelligence.

Given this, it is important to analyze two aspects of my comment:  first, the fact that Regin also implements a credential stealing functionality that allowed attackers to syphon login credentials for social networks, and this can be part of Intelligence information gathering, but also for online banking services. In this second case, the scenario most plausible is obviously the cybercrime.

Second, the reference to the telecommunication companies (mobile operators): I’m conducting penetration tests for 20 years, I’m a member of the  TSTF (Telecom Security Task Force) and I have a deep knowledge of the complexity for a mobile infrastructure. I think that it is not possible to automatize an attack against these systems, it could result too complex due to the presence of Network Elements produced by different vendors.

In several cases, when specific industries are targeted, spear phishing is an evergreen attack vector. With a spear phishing attack hackers can compromise a machine inside the targeted infrastructure to move the attack from the workstation usually used an OSS operator.  But, again, automate the data exfiltration is really too complicated. Let’s think to the billing (CDR, Call Detail Records), which is also the privileged target of an intelligence agency, in complex infrastructure the overall operations are the result of activities executed by software from different vendors and the integration of a large number of complex Database Management Systems.

I read many posts that compared Regin to Stuxnet, well, even if it can seem absurd, a Telco infrastructure is much more complex than systems within an energy plant, consider also that the “SCADA word” is still more insecure of the telecommunication industry, despite the number of zero-day specific for Telco equipment is very high.

Analyzing the Regin case it could be very interesting to understand if the targeted mobile operators were using the same technologies for their network infrastructure. This would be a first important factor for a serious assessment.

Pierluigi: The reports published by Symantec and Kaspersky highlights the high level of complexity of the Regin malware, another element very unusual is the attack against the GSM infrastructure. Assuming that there is a criminal organization behind Regin, which are their means and resources? In my experience probably only the RBN (Russian Business Network) was able to support a huge investment in research and resources, like the one behind Regin. Do you think that there is a new similar organization in the wild?

Raoul: Well Pierluigi, I’m currently at the Defcamp where I had the opportunity to speak with my friend and colleague Mika Lauhde at ENISA PSG, and former Global Chief Security Officer at Nokia.
Mika told me that some confidential sources from an important Antivirus vendor, revealed that they have discovered traces of Regin in 2003, in 2005, e and after 2005 it disappeared.

This information changes my point of view and let me think that Regin is a probably a product of the Intelligence instead the cybercrime.

Regarding your question, as you correctly said, the RBN was a really complex organization, flexible and with significant financial resources. The security landscape is completely changed since the alleged disappearance of the RBN, today the Intelligence Agencies have a primary interest in mobile operator data. In this sense, I can agree with those experts that consider Regin as a product of the Intelligence, mobile operators are a privileged target for the Intelligence, today everyone has a mobile phone that collects his data, that has information on his social network and contacts, that traces his position everywhere he goes.

Gain the access to the CDR, to the billing, to the SMS is nearly “priceless”, but investment are impressing.  But, here there is the concretization of my thought, why so huge investments to automate a hacking platform that needs to be tailored every time?

It is more convenient for the attackers use a dedicated team of hackers that operates manually in stealth way and that is able to exfiltrate just the data the Intelligence agencies need.
Automated attacks are surely more noisily than tailored operations.

Speaking with Mika I had information about other factors that suggests the involvement of a government, but I cannot disclose further data. As I told you the information let me to believe that Regin was designed by an Intelligence agency, probably the US one.

If confirmed the news that the first traces of Regin was dated 2003 and 2005, well, I was not aware of cyber criminal gangs active for so long.

I would like to do other assessments, linked the SO-CALLED “object of interest”, which is not ‘just’ data of Telco companies, but also financial. But as I said, to date I cannot say more because I signed an “NDA from Gentlemen’s Agreement”.

Pierluigi: Raoul, it’s my opinion that we run the serious risk that an incorrect attribution can trigger a series of diplomatic crisis and hacking campaigns in the cyberspace that can destabilize some balances. I have seen too many experts to express too hasty judgment on Regin. What is your opinion?

Raoul: You are right. When experts express their opinion too hasty, not specifying that they are making hypotheses on the events (as I showed myself with ANSA and other media), is dangerous. I made clear that the Attribution is the greatest difficulty when it comes to date breaches, malware and any other kind of cyber attack.

We let’s see what will happen. I do not care to “be right” or not, I consider important to avoid spreading wrong alarms and that every scenario, every threat actor and every motivation behind the attack must be carefully analyzed.

The detailed analysis is available on the Infosec Institute

Pierluigi Paganini

(Security Affairs –  Regin, Intelligence)

you might also like

leave a comment