'

Regin nation state malware research revealed by security companies

Symantec wasn't the only company following Regin. Kaspersky and F-Secure have something to say about who was hit. Regin also spies on GSM cellular networks.

Following on the news from Symantec of Regin , a sophisticated and likely state-developed malware for powerful surveillance, Kaspersky has issued their own report. F-Secure has also revealed some of their findings.

The Kaspersky report entitled "The Regin Platform - Nation-State Ownership of GSM Networks" emphasizes a capability of Regin that Symantec also mentioned: It spies on GSM cellular networks. Inside one sample they found what "...appears to be an activity log on a GSM Base Station Controller." Kaspersky describes the information collected, including the usernames and passwords of some engineering accounts.

Kaspersky also describes some of the C&C (Command and Control) activity of Regin. Like everything else about it, the C&C is sophisticated and stealthy, but they identify four C&C server IP addresses; two in India, one in Taiwan and one in Belgium. The report also calls out the infections they found one specific Middle Eastern country. In this country:

...all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, an educational institution network and a bank.

F-Secure has added some information about Regin in their blog. Additionally, F-Secure's Mikko Hypponen says that they believe that Regin is the malware used to attack famed cryptographer Jean-Jacques Quisquater. At the time the source of the attack was rumored to be the NSA/GSCQ, but no real evidence was presented.

F-Secure doesn't know who wrote Regin, but says that they believe it is not coming from Russia or China. Kaspersky doesn't add much to the discussion of who is responsible, but they do add the graph below to show the development timestamps of the executables. These look roughly like the eastern US work day, but the information could be faked.

timestamps