Malware analysis

Regin: State-Sponsored Malware or Cybercrime?

Pierluigi Paganini
December 1, 2014 by
Pierluigi Paganini

Regin, a highly advanced spying tool

A few weeks ago, Symantec security firm published the results of its investigation on the backdoor Regin, a highly advanced spying tool used in cyber espionage campaigns against governments, private companies, researchers, private individuals and infrastructure operators worldwide. Regin is considered much more than a highly sophisticated malicious code; experts consider it a complex modular hacking platform. The modular structure makes this malware a very flexible agent that could be used by operators to tailor a campaign to individual targets.

The analysis of Regin revealed that it has a degree of technical competence rarely seen. Security experts speculate that it has some resemblance to other state-sponsored malware like Flame, Duqu, and the popular Stuxnet.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

The security community is unanimous: the effort spent to develop the backdoor Regin appears significant. Experts confirm that it required months or years to be completed.

As we will evaluate together, the complexity of the malware led researchers to believe that Regin was developed by a nation-state to spy on a wide range of international targets across several industries and to prepare further attacks. However the problem of "attribution" for the creation of the spying tool is not easy to solve. Some illustrious security experts are convinced that the platform can be developed by a criminal organization, and we'll see why.

Just for information, the name Regin was assigned by Microsoft to describe the underlying Trojan.

The evasion technique

The experts at Symantec provided a detailed description of the complex evasion technique implemented by the author of Regin, which allowed the backdoor to remain under the radar for a long time. The technique exploits a multi-stage process, and each stage is hidden and encrypted. Regin is structured into six stages, each of which is encrypted, except for the first one, which is used to launch the initial loader. The execution of the first stage triggers a domino chain in which at each step the stage is decrypted and executed, and that in turn decrypts the successive stage, and so on.

Figure 1 - The stages of Regin (Symantec report)

"As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat," states the blog post from Symantec.

Figure 2 - Regin graphical representation of multi-stage evasion technique

Researchers have identified dozens of different payloads used by the Regin platform to spy on the targeted machine, despite that principal functions implemented by the authors include code for common activities (i.e. stealing passwords, monitoring network traffic, capturing screenshots, seizing control of the target's mouse, and recovering deleted files), some payloads appear to be tailored to specific targets.

The analysis issued by Symantec reports a component that was designed to sniff the traffic of mobile telephone base station controllers and another to monitoring the traffic of a Microsoft IIS server.

The method described allowed bad actors to operate in the shadows since 2008. Some researchers believe that Regin was active several years earlier. Regin is known to have been active until 2011, and the malware resurfaced later in 2013 when the researchers at Symantec detected it.

It is important to highlight that Regin likely has several more versions. According to Symantec experts, there may be versions prior to 1.0 and versions between 1.0 and 2.0.

"Essentially, what we think we're looking at is different campaigns where in one infection they needed to sniff your keyboard whereas in another infection they wanted grab the user name and password of the admin connected to a base station controller," Liam O'Murchu, manager of operations for Symantec Security Response, reported to Ars. Below is the timeline published by Symantec.

  • Regin Version 1.0 appears to have been used from at least 2008 to 2011, when it appears to have been abruptly withdrawn from circulation in 2011.
  • Version 2.0 has been used starting from 2013.

Target profile

As explained in the introduction, the Regin was used by threat actors to hack systems across several industries, including:

  • Government institutions
  • Multi-national political bodies
  • Telecom operators
  • Financial institutions
  • Research institutions and individuals involved in advanced mathematical/cryptographical research (e.g. popular Belgian cryptographer Jean Jacques Quisquater).

The geographic distribution of the infections detected by the teams involved in the investigation is quite similar. The Regin backdoor was discovered in several countries worldwide, but according to publicly available data, there are no victims in the US, in the United Kingdom (in reality none of the Five Eyes countries has been targeted by Regin) and Israel.

As explained by researchers at Kaspersky Lab, the identification of the infected machines is advantaged by the fact that even after Regin is uninstalled, certain artifacts and infection markers are still present in the systems. The Kaspersky Lab team has identified the infection in 14 countries.

Figure 3 -Geographical distribution of Regin victims (Kaspersky LAB report)

  • Algeria
  • Afghanistan
  • Belgium
  • Brazil
  • Fiji
  • Germany
  • Iran

  • India
  • Indonesia
  • Kiribati
  • Malaysia
  • Pakistan
  • Russia
  • Syria

The infections of Regin detected by Symantec have highlighted that the attacks were prevalently observed in ten different countries. The number of infections is prevalent in the Russian Federation (28 percent), Saudi Arabia (24 percent), Ireland (9 percent) and Mexico (9 percent).

Figure 4 - Backdoor Regin Geographic distribution (Symantec Report)

The analysis of the distribution of targeted industries reveals that Regin was used to compromise Telecom Backbone in 28 percent of the attacks, and that in 48 percent of attacks, the victims were private individuals and small businesses. The experts believe that the operators managing the cyber espionage campaign were interested in spying on specific customers of the targeted companies.

Figure 5 - Backdoor Regin targeted industries (Symantec Report)

The infections of Regin detected by Symantec are also geographically diverse. Attacks were observed in mainly in ten different countries; the Russian Federation (28%), Saudi Arabia (24%), Ireland (9%) and Mexico (9%) lead the list.

The infection vector

There isn't a common infection vector for the attacks run by threat actors behind the Regin campaign, the experts confirmed. In fact, that infection vector varies among the targets. According to Symantec, targets may be tricked into visiting spoofed versions of popular website websites or compromised through a watering hole attack. On one computer, log files show that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.

Researchers at Kaspersky, speaking about initial compromise and lateral movement, confirmed that there isn't information regarding the exact method used for the initial compromise.

As explained in the Kaspersky report, several theories exist on the initial compromise, including the use of man-in-the-middle attacks in conjunction with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement

The backdoor Regin implements a modular approach that makes the agent a privileged attack tool for a wide type of attacks against different targets. The operators just loading a custom module tailored to individual targets can exploit its systems. Some victims were targeted with Regin payloads that allowed the attackers to replicate the agent within the targeted systems. The replication modules are copied and executed to remote computers using Windows administrative shares, a technique that requires administrative privileges inside the victim's network.

"In several cases the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is a simple way of achieving immediate administrative access to the entire network," states Kaspersky in its report.

Regin backdoor used to compromise the GSM Networks

Security experts have elaborated different theories related to the authors of the backdoor Regin, but it is unique that the development of the Regin platform required a significant effort due to the level of complexity it shows.

According to the experts at Kaspersky, one of the most intriguing attacks operated with Regin tool is an infection of a large GSM operator. The GSM standard is still widely used worldwide, especially in Africa and the Middle East. The researchers investigating an attack against a GSM operator from the analysis of activity log of a GSM base station controller discovered that bad actors gained access to the GSM network.

The attackers have stolen the credentials to access the GSM network, and the intrusion allowed them to control GSM cells of a large operator.

The attackers had access to the overall information about the activity of the targets within cells of the network. The threat actors would also use the access to the network to perform offensive actions against the victims.

"The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users," states the post on SecureList.

The researchers at Kaspersky revealed that in April 2008, the threat actors gained access to administrative credentials that would allow them to manipulate a GSM network in a Middle Eastern country. Another interesting feature implemented by hackers is related to the control infrastructure used in the attack. The attackers avoided using a network of Command and Control servers directly linked to the infected machine; instead they used a P2P networking system in which each node of the architecture was one the of targeted systems that normally was establishing communication with other compromised entities. The technique allows the attackers to remain under the radar for a long time.

"In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank. These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India. This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president's office are sent through the bank's network, then all the malicious traffic visible for the president's office sysadmins will be only with the bank, in the same country."

The Regin backdoor allowed bad actors to issue several commands to the base station controller, including the listing of the current call forwarding settings of the Mobile Station and stopping cells in the GSM network.

Figure 6 . P2P control infrastructure uncovered by Kaspersky Team

Cybercrime or state-sponsored hacking campaign?

Symantec reported in its analysis that the development of Regin required a significant effort, and many experts immediately accused a Western intelligence agency for the massive espionage campaign. As we will see soon, there are also other illustrious opinions on the case; a part of the security community considers that it is not possible to exclude in this phase that Regin is the product of cybercrime.

Regin linked to US and British intelligence

In a post published on The Intercept website, it is stated that the Regin attack platform is a technology designed by U.S. and British intelligence agencies, according to security industry sources and technical analyses conducted by The Intercept itself.

Ronald Prins, the security expert at Fox IT who was hired to remove the malware from Belgacom's networks, reported to the The Intercept that Regin is "the most sophisticated malware" he had ever analyzed. The expert also hypothesized that British or the US intelligence may have created Regin.

"Having analyzed this malware and looked at the [previously published] Snowden documents," Prins said, "I'm convinced Regin is used by British and American intelligence services."

Figure 7 - Prins's Tweet on the Regin case

Prins confirmed his conviction that the NSA and the GCHQ are behind Regin; he highlighted that UNITEDRAKE and STRAIGHTBIZARRE are codenames of NSA programs, according to Snowden's leaked documents. "While those codenames are not mentioned in the malware", Prins confirmed that their description in the Snowden documents matches with "the functionality of parts of the Regin framework."

The Intercept reports that the GCHQ intelligence agency gained access to Belgacom's internal systems in 2010 by targeting engineers at the company.

The operation was coded Operation Socialist and the GCHQ implanted malware "implants" on the staff computers by hijacking their Internet connection to a bogus LinkedIn page. The page was used by attackers to serve a malware which provided the spies total control of the targeted systems.

"The implants allowed GCHQ to conduct surveillance of internal Belgacom company communications and gave British spies the ability to gather data from the company's network and customers, which include the European Commission, the European Parliament, and the European Council. The software implants used in this case were part of the suite of malware now known as Regin."

Based on the investigation of the Regin samples, the experts suspect that it was designed in a course of more than a decade. The Intercept has identified traces of its components dating back as far as 2003.

Both the GCHQ and the NSA declined to comment the report published by The Intercept.

Is it possible to attribute the backdoor Regin to the cybercrime?

In this phase it is quite impossible to attribute precisely the development of the Regin malware to a specific category of threat actors. Until now we have discussed about a possible involvement of a government in its design, but there are also cyber security experts that haven't excluded other hypotheses.

I have contacted one of the most popular security researchers in the world, Raoul Chiesa, who is President, Head of Information Superiority for MoD Unit at Security Brokers and advisor to several Institutions, including UNICRI, ENISA and member of the board of Directors for ISECOM, CLUSIT, OPSI-AIP.

I asked to Raoul to share with me his vision on the Regin case, trying to explain how it is possible to speculate on the involvement of cybercriminal organizations.

Figure 8 - Raoul Chiesa

Pierluigi: Hi Raoul, you have declared that Regin could be the product of a criminal organization. In your opinion, which are the elements that distinguish the Regin platform from others identified in the past, such as Flame or Duqu?

Raoul: As usually happens in these cases, there aren't sufficient elements in this phase to express an objective judgment. In several interviews that I released to the media agencies, I have highlighted that in my humble opinion Regin seems a product of organized crime rather than intelligence.

Given this, it is important to analyze two aspects of my comment: first, the fact that Regin also implements a credential stealing functionality that allowed attackers to syphon login credentials for social networks (and this can be part of intelligence information gathering), but also for online banking services. In this second case, the scenario most plausible is obviously the cybercrime. Second, the reference to the telecommunication companies (mobile operators): I'm conducting penetration tests for 20 years, I'm a member of the TSTF (Telecom Security Task Force) and I have a deep knowledge of the complexity for a mobile infrastructure. I think that it is not possible to automatize an attack against these systems, it could result [in being] too complex due to the presence of Network Elements produced by different vendors.

In several cases, when specific industries are targeted, spear phishing is an evergreen attack vector. With a spear phishing attack, hackers can compromise a machine inside the targeted infrastructure to move the attack from the workstation usually used an OSS operator. But, again, to automate the data exfiltration is really too complicated. Let's think to the billing (CDR, Call Detail Records), which is also the privileged target of an intelligence agency. In complex infrastructure, the overall operations are the result of activities executed by software from different vendors and the integration of a large number of complex Database Management Systems.

I read many posts that compared Regin to Stuxnet, well, even if it can seem absurd, a Telco infrastructure is much more complex than systems within an energy plant. Consider also that the SCADA word is still more insecure [than] telecommunication, despite [that] the number of zero-day specific for Telco equipment is very high.

Analyzing the Regin case, it could be very interesting to understand if the targeted mobile operators were using the same technologies for their network infrastructure. This would be a first important factor for a serious assessment.

Pierluigi: The reports published by Symantec and Kaspersky highlight the high level of complexity of the Regin malware. Another element [that is] very unusual is the attack against the GSM infrastructure. Assuming that there is behind a criminal organization behind Regin, [what] are their means and resources? In my experience probably only the RBN (Russian Business Network) was able to support a huge investment in research and resources, like the one behind Regin. Do you think that there is a new similar organization in the wild?

Raoul: Well Pierluigi, I'm currently at the Defcam where I had the opportunity to speak with my friend and colleague Mika Lauhde at ENISA PSG, and former Global Chief Security Officer at Nokia.
Mika told me that some confidential sources from an important antivirus vendor revealed that they have discovered traces of Regin in 2003, in 2005, and after 2005, it disappeared.

This information changes my point of view and [leads] me think that Regin is a probably a product of the intelligence instead [of] the cybercrime.

Regarding your question, as you correctly said, the RBN was a really complex organization, flexible and with significant financial resources. The security landscape is completely changed since the alleged disappearance of the RBN. Today the intelligence agencies have a primary interest in mobile operator data. In this sense, I can agree with those experts that consider Regin as a product of the intelligence. Mobile operators are a privileged target for the intelligence. Today everyone has a mobile phone that collects his data, that has information on his social network and contacts, that traces his position everywhere he goes.

To gain the access to the CDR, to the billing, to the SMS is nearly "priceless", but investments are impressive. But, here is the concretization of my thought: why so huge investments to automate a hacking platform that needs to be tailored every time?

It is more convenient for the attackers use a dedicated team of hackers that operates manually in a stealth way and that is able to exfiltrate just the data the intelligence agencies need.
Automated attacks are surely noisier than tailored operations.

Speaking with Mika I had information about other factors that suggests the involvement of a government, but I cannot disclose further data. As I told you the information led me to believe that Regin was designed by an intelligence agency, probably the US one.

If the news [is confirmed] that the first traces of Regin were dated 2003 and 2005, well, I was not aware of cybercriminal gangs [being] active for so long.

I would like to do other assessments, [like] the SO-CALLED "object of interest", which is not 'just' data of Telco companies, but also financial. But as I said, to date I cannot say more because I signed an "NDA from Gentlemen's Agreement".

Pierluigi: Raoul, it's my opinion that we run the serious risk that an incorrect attribution can trigger a series of diplomatic crisis and hacking campaigns in the cyberspace that can destabilize some balances. I have seen too many experts to express too hasty judgment on Regin. What is your opinion?

Roaul: You are right. When experts express their opinion too hastily, not specifying that they are making hypotheses on the events (as I showed myself with ANSA and other media), [it] is dangerous. I made clear that the attribution is the greatest difficulty when it comes to data breaches, malware and any other kind of cyber attack.

Let's see what will happen. I do not care to "be right" or not, I consider important to avoid spreading wrong alarms and that every scenario, every threat actor and every motivation behind the attack must be carefully analyzed.


Let me close the post with the consideration made by Costin Raiu, Director, Global Research & Analysis Team, who invited to be more cautious, warning that "on the Internet, attribution can very easily fail and false flag operations are quite common."

The investigations are still ongoing. Researchers at Symantec, for example, are aware of only about 100 infections, but such a powerful platform was surely used in a larger number of targeted attacks still uncovered. The researchers haven't yet analyzed one of the Command and Control servers the attackers used. The knowledge of the control infrastructure provides to the experts a huge quantity of data that could support further analysis.

Stay tuned for further information.


Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.