Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

No ordinary mobile attack: The Regin menace

Kim Crawley | Dec. 4, 2014
When you read about security attacks involving mobile network technology, typically they're incidents that target mobile devices used by consumers.

Regin: The GSM Cyberespionage System

It appears that the intended targets of Regin are mainly GSM cellular networks, to spy on governments, scientific research institutions, corporations, and private individuals. The majority of the world's cell networks use GSM. By entering Windows machines that are front-ends of GSM infrastructure, Regin has been able to incur immense cyberwarfare activity.

Kaspersky believes that Regin's name comes from reversing "in reg," as in, in the Windows registry. I really wish Windows wasn't deployed as a GSM network front-end, or in any SCADA system. I would deploy GNU/Linux or BSD/Unix based operating systems instead. There's a much greater diversity of Linux and Unix-based OSs than Windows, so targeting any particular vulnerability will only affect a percentage of operating systems of a certain platform, instead of most or all of them. Microsoft developers also integrate libraries way too much for my liking, *nix libraries tend to be much more isolated, affecting fewer applications and components.

As so many of the world's cellular networks are GSM, mobile devices used by all kinds of individuals with access to highly classified data can be attacked. And as Regin operates in GSM infrastructure, it doesn't matter if a target's phone or tablet runs iOS, Android, Windows Phone, or BlackBerry.

The earliest attacks that we're certain are Regin date back to 2008, even though suspected Regin attacks may be as old as 2003. Regin has evolved over the years, and keep in mind that it's a complete cyberattack platform, not a single piece of malware. The most recent versions of Regin have been identified since 2013, the latest cycle.

Because of the sophistication of Regin, and how very expensive it probably is to develop and deploy, it's probably the project of a nation's military cyberwarfare division. My gut tells me it's likely the Chinese government, although there's no evidence of that yet. China and Russia are the usual international cyberwarfare suspects, and Russian networks have been attacked by Regin, with no evidence of Chinese networks having been attacked. If Regin's source turns out not to be China, then Chinese GSM networks have been attacked and we don't know it due to their possible secrecy.

If you operate a Windows GSM network front-end, Kaspersky and Symantec's signatures can now identify many Regin backdoors for stage one.

But Regin components evolve so quickly, and so much of Regin's malware is still unknown. So there are probably still many zero-day Regin attacks in the future. If your Windows machines don't operate GSM networks, Regin may not be targeting them, as its payload seems to target GSM infrastructure for the most part. I predict that UMTS, CDMA and other non-GSM cellular networks may be targeted by new specific versions of Regin in the near future.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.