Regin spying tool linked to NSA among first malware meant for espionage
Security researchers turned up new evidence that Regin, the sophisticated surveillance malware linked to the NSA, may be one of oldest specimens of its ilk.
JERUSALEM — The malware known as Regin – linked to the National Security Agency as a tool for tapping mobile phone networks and infiltrating foreign computer systems – now appears to have been developed as early as 15 years ago, making it among the first major pieces of invasive computer software built to enable government espionage.
The program was revealed last month in reports from security companies Kaspersky Lab and Symantec Corp. Soon thereafter, The Intercept published new leaks from NSA whistleblower Edward Snowden that shed light on how programs such as Regin (pronounced Re-gen) were used to collect sensitive, technical information on more than 70 percent of the world’s cellular networks.
Between the Snowden documents and the disclosures from computer security professionals about Regin, for the first time researchers think they’ve linked NSA wiretapping operations to the particular tool the agency used to accomplish it, caught in the act invading a foreign cellular network.
“This is the first time we’ve seen it for real with our own eyes. For us it was pretty surprising,” says Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team.
The NSA’s vast surveillance practices – stockpiling of phone records, recording text messages, listening in on conversations of foreign heads of state, tapping into global fiber optic communications -- began to be revealed a year and a half ago when the Snowden documents emerged.
Now, analysis of the Regin malware provides rare insight into how such extensive hacking and wiretapping was accomplished.
How Regin Works
Regin is not just a worm or a virus, but a malware platform, which can host many different types of attacks. It was built for stealth and flexibility and has been found on computers around the world, serving many different purposes.
Both Kaspersky Lab and Symantec judged Regin to not only be the work of a nation-state, but also one of the most sophisticated, if not the most sophisticated, pieces of malware in existence. Both companies also specifically noted that Regin was used against telecommunications companies and infrastructure (in addition to a variety of other targets).
The precise way that Regin enters a computer system is still unknown, but it may involve visiting spoofed versions of well-known websites or a backdoor through an application. According to Symantec, in one case log files showed that Regin got in through an unknown exploit in Yahoo! Instant Messenger.
Once inside, Regin is capable of utilizing a wide range of tools for surveillance or gaining administrative control. In one particularly telling example, Kaspersky Lab caught the malware’s operators hacking a GSM Base Station Controller in an unnamed Middle Eastern country.
The GSM network is what allows a mobile phone in Norway to call another phone in Indonesia or Mongolia or Mexico. Each local phone company follows a common set of standards determined by the GSM Association based in London and the network extends to more than 219 countries and more than 3.2 billion mobile phone users worldwide. GSM Base Station Controllers are the central hubs that pool signals from an area’s antennas and connect them with the rest of the world.
According to the log Kaspersky obtained, between April and May in 2008, the malware’s operators activated a sniffer, which is a piece of software capable of collecting the usernames and passwords of administrators of that Base Station Controller.
At the same time, the sniffer was recording commands, which Kaspersky believed to be from a mix of sources, some issued by real network administrators and some by the Regin operators. Once all the administrators’ details had been collected, the sniffer went silent.
Costin Raiu clarified that this likely wasn’t an isolated incident. “This could be one of many,” he said. “Maybe they were doing the same thing everywhere but this is the only incident we were lucky enough to observe and get a sample of.”
This marks the first time that governmental wire-tapping of the global cellular network has actually been caught out in the wild, rather than simply exposed by a leaked document.
During the course of their analysis, researchers were also surprised by how long the malware appears to have been operating.
When Kaspersky’s report was first published on Nov. 24, they mentioned having found timestamps (encoded information in a program identifying when an event occurred) that go as far back as 2003. In the weeks since the report was published, they’ve managed to find another timestamp from 1999.
In network security, 15 years is a very long time for a piece of malware to survive undetected, although Regin has also been updated multiple times with newer, more advanced modules.
How Regin is connected to the NSA and GCHQ
Researchers have made two strong connection that tie Regin to spying operations mentioned in the Snowden documents.
In 2013, The Intercept and Germany's Der Spiegel first revealed separate attacks against Belgacom, a Belgian telecommunications company, and the European Union offices in Brussels. Fox IT, an IT security firm that counts Belgacom among its customers, and technical experts working with Glenn Greenwald made the connection to Regin.
A security analyst for Fox IT was quoted by The Intercept saying, “having analyzed this malware and looked at the [previously published] Snowden documents, I’m convinced Regin is used by British and American intelligence services.”
There are clues in Regin’s code as well.
There were a number of mistakes left behind in the code by Regin’s creators that carry a clear implication. These findings strongly imply that Regin was made in a joint effort by the NSA and its British counterpart, the GCHQ.
According to Kaspersky Lab, although mistakes are rare, they do happen. An English-language expletive appears in many places throughout the code. Also, a few revealing internal codenames were left behind, including “U_STARBUCKS” and “LEGSPINv2.6” (leg spin is a cricket term similar to a curveball in baseball.)
The timestamps documenting when individual sections of code were created – largely between 10 a.m. and 9 p.m. GMT – reflect American and British working hours as well. It is possible to fake these details, of course, but Raiu of Kaspersky thought that was unlikely in this case given how long the malware has been active.
“We have seen false flag operations for sure,” he says. “Different threat actors deploying malware let’s say from the other side of the world to confuse the people doing the incident response. It’s absolutely normal, especially recently. But a couple of years ago nobody cared about such things … in the very, very early days of malware people didn’t really care too much about leaving traces. Even nowadays many people don’t care.”
Sometimes it's difficult to tell whether information left behind in code is meant to throw off investigators, says Raiu. But he says, "In this case, it’s more likely that most of these timestamps are real.”
What the NSA and GCHQ can do with Regin
The key piece of evidence in the recent Snowden disclosures is a PDF of presentation slides. The slides look remarkably mundane, similar to the kind of buzzword-laden Powerpoint any large corporation might produce. But the information inside is revealing.
They detail the efforts of the working group AURORAGOLD, a team within the NSA that focused on global cellular networks. The slides indicate that, as of May 15, 2012, AURORAGOLD had successfully compiled the necessary specs on 701 out of an estimated 985 total global cellular networks, including networks in almost every country on Earth.
That information can be used to track specific targets around the world, storing their calling records, conversations, messages and location data. Given that there are more than 3.2 billion mobile phone users on the GSM system, this means that the cellular networks of roughly 2.3 billion people worldwide are vulnerable to NSA eavesdropping and exploitation.
The GSM system was intentionally constructed to allow Base Station Controllers certain privileges that would help local law enforcement. This is how police are able to track down criminals by their phones or prove that someone was texting while driving.
According to Lawrence Harte, an expert on GSM and mobile communications, an intelligence agency that has gained access to a Base Station Controller would be able to utilize all of those privileges directly without going through the proper channels.
This includes the ability to add third-party recording devices to calls without the speakers being aware of it, to re-direct calls, to read text messages, and to find a cellphone user’s location. Regin’s operators would likely have been capable of any of these actions.
Raiu mentioned another possibility, one that he considered even more dangerous. “The scariest is to shut down the whole GSM network – login and shutdown all the towers that the base station controller can access," he says.
How spy agencies maintain their advantage
For decades now the NSA and the GCHQ have been trying to keep the cryptography protecting the GSM system, and commercial cryptography in general, as weak as possible, according to Ross Anderson, Cambridge University’s Head of Cryptography and a professor in Security Engineering at the Cambridge Computer Laboratory,
Mr. Anderson says that the western governments wanted to make sure the encryptions were never so strong that they would be unable to crack them. They’ve also made efforts to ban public and academic cryptography research, he says. At one point, according to Anderson, when public key cryptography was first invented, the NSA even tried to insist that all cryptography be classified as strictly as atomic research.
In the AURORAGOLD documents it is revealed that, in addition to storing information on the specific types of equipment and security used by cellular companies around the world, US Intelligence has been intensively monitoring the GSM Association, as well as other sectors of the telecommunications industry, trying to stay ahead of whatever new encryptions or safeguards might be put in place in the future.
When contacted by The Christian Science Monitor, the NSA declined to comment on the article.
A GCHQ spokesperson provided this statement: “It is a longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee.”