Symantec Inc.'s discovery of the Regin malware, part of a long-term nation-state-sponsored cyberespionage campaign,...
has already been compared to the likes of Stuxnet and Flame, two of the most sophisticated pieces of malware ever created. While the expertise needed to create Regin is unquestioned, security industry observers say Regin again proves that more organizations and vendors need to be focused on threat detection rather than prevention.
Symantec's technical analysis of Regin, released late last week, exposed a malware platform that is both powerful and highly customizable. The first version of Regin was used since at least 2008 until 2011, according to Symantec's analysis, while a second version was spotted in 2013.
As a modular malware platform, Regin contains a number of components that rely on each other to function. This design allows attackers to deploy a number of different payloads depending on specific targets and situations. Symantec said the multi-stage loading architecture, which is similar to that of Stuxnet and Duqu, made it difficult to analyze Regin as not all of the malware's components were available at the same time.
And unlike many other advanced persistent threats (APTs), which are typically focused on collecting valuable intellectual property, Symantec's paper indicates that Regin is unique because it is geared toward collecting a variety of nonspecific data and monitoring individuals or organizations for lengthy periods.
"Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen," wrote Symantec's security response team in a blog post. "It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks."
Regin: Who is responsible?
Regin infections have largely struck organizations in Russia and Saudi Arabia, with less than a handful of Western countries among those targeted. The location of the targets has led many industry observers to link Regin to operations carried out by the U.S. and Israeli governments, both of which were also cited as being responsible for the Stuxnet attacks against nuclear facilities in Iran, though neither government has taken responsibility.
New evidence emerged Monday that Regin may have been used by U.S. and United Kingdom intelligence agencies as far as back as 2010. Previous leaks from former NSA contractor Edward Snowden linked Britain's Government Communications Headquarters with a covert mission named Operation Specialist, which targeted Belgium-based telecom Belgacom with malware that allowed agents to gather data on the company's customers and internal corporate communications.
Symantec Regin white paper
"Regin has a six-stage architecture. The initial stages involve the installation and configuration of the threat’s internal services. The later stages bring Regin's main payloads into play. This section presents a brief overview of the format and purpose of each stage. The most interesting stages are the executables and data files stored in Stages 4 and 5. The initial Stage 1 driver is the only plainly visible code on the computer. All other stages are stored as encrypted data blobs, as a file or within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of disk."
The malware used against Belgacom, which was unknown at the time, was later identified as the same seen in NSA operations carried out against multiple countries in the European Union. Ronald Prins, founder and CTO of Dutch consultancy Fox-IT Security, the firm tasked with cleaning the malware from Belgacom's networks, said in an interview with the The Intercept that the malware is the most sophisticated he had ever come across, and drew conclusions as to its creators.
"Having analyzed this malware and looked at the Snowden documents," Prins told The Intercept, "I'm convinced Regin is used by British and American intelligence services."
How Regin avoided detection
Regin stands out not just for its sophisticated feature set, but also for remaining previously undetected for at least half a decade. Just how was the malware able to stay off the radars of security vendors and professionals, some of which are specifically tasked with finding and analyzing such threats?
Though Symantec first announced Regin's existence last week, Big Yellow, Microsoft and F-Secure all admit to first identifying components of Regin as early as 2009, causing some to speculate that either antimalware vendors deliberately chose not to reveal Regin to the public or for a long time simply did not know what they had.
Mark Gazit, CEO of critical infrastructure protection firm ThetaRay, based in Israel, said that Regin's command-and-control (C&C) infrastructure was key to avoiding detection. Regin relied on legitimate communication channels such as embedded commands in HTTP cookies and custom TCP and UDP protocols, Gazit noted, which are beneficial for attackers trying to hide malicious activity. An organization would need to be able to view all of the data's features and analyze it simultaneously to determine that something was amiss.
Just as important, Gazit said that Regin's modular nature helped avoid detection as the attackers behind it could customize the malware to specific targets. While so many security products still rely on signatures for detection, even small modifications in malware code can help bypass the technologies that many organizations rely on to spot attacks.
"This modularity further explains why off-the-shelf security did not expose Regin," said Gazit. "The fact that attacks are becoming this intricate is worrying and calls on innovation to conceptualize new security that can uncover complex attacks like Regin within minutes, instead of months or years."
Ian Amit, vice president of security startup ZeroFox, based in Baltimore, pointed to Regin's "Russian-doll" architecture as one way the malware was able to stay hidden on organizations' networks. Regin employed a total of six stages, not including an as-yet-unidentified dropper, to infect targeted machines. Initial stages serve to extract, install and run kernel drivers for the third stage, during which Regin's actual functionality is exported.
The malware's main payload isn't even loaded until its fifth stage, meaning the initial infection may take place much earlier. Amit added that the use of encryption by Regin's author for multiple stages of the deployment also puts endpoint security and other detection technologies at a disadvantage.
"Regin highlights the need for better operational security as part of an organization's risk management [approach]," said Amit via email. "Both the ability to minimize attack surfaces that leverage the human element and the capability to monitor changes over a long period of time are critical to dealing with persistent threats."
Regin: An enterprise concern?
While the malware has been used to target government agencies in countries such as Russia, Saudi Arabia and Mexico, experts cautioned that Regin -- or at least elements of it -- could make its way to more Western countries in the future.
Chris Messer, vice president of technology for Coretelligent, based in Needham, Mass., said that while Regin does not pose a threat to the U.S. government or U.S.-based businesses at the moment, the malware could always be reverse-engineered by other countries and used to steal sensitive info.
"It's naïve to think that these tools couldn't be easily re-purposed or re-deployed against our allies," said Messer, "or even against individual business leaders, political targets or citizens."
ThetaRay's Gazit agreed that Regin could be reverse-engineered by attackers capable of cutting and pasting their own modules onto the platform, though "average hackers and cybercriminals" will unlikely be able to understand the sophisticated code at the moment.
Still, much as the case was in the wake of Stuxnet and Flame, Gazit said that individual features could trickle down to everyday exploit kits over time. One such feature, Gazit added, is the infection method used by Regin. To download modules onto an infected system, Regin creates a simple backdoor and then connects users to a fake LinkedIn page, which would not trigger security alarms within most organizations. Regin can then download a payload from the malicious page.
"For cybercriminals, seeing high conversion rates, as in machines that deploy the infection properly, is always a numbers game they are striving to improve," said Gazit. "So this would be the type of Regin feature they would likely try to work into their own codes."
Nation-state hacking affects nations all around the world. Read our coverage of the recent White House hacks to see how Western countries are targeted.