The layers of the Regin cyber-attack platform are just beginning to be pulled back. One of those layers gives attackers the means to penetrate and monitor GSM base station controllers.
GSM (Global System for Mobile Communications) is a widely used standard for mobile networks. As part of its investigation, Kaspersky Lab examined the activity log of a GSM base station controller and discovered that attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator.
This means the attackers could have had access to information about what calls are being processed by a particular cell, redirect those calls to other cells, activate neighbor cells and perform other offensive actions, the researchers found. According to Kaspersky Lab, no other attacks are known to have been capable of those types of operations.
"The ability to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations," the Kaspersky Lab researchers note in a whitepaper describing the platform. "In today’s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, other parties can hijack this ability and abuse it to launch different attacks against mobile users."
Over the course of a single month in April 2008, the attackers collected administrative credentials that would allow them to manipulate a GSM network in a Middle Eastern country. Regin allowed the attackers to issue a number of commands on the base station controller, including: 'rxmop', which enables them to check the software version type; 'rxmsp' to list the current call forwarding settings of the Mobile Station; and 'rlstc' to stop cells in the GSM network.
"In total, the log indicates that commands were executed on 136 different cells," according to Kaspersky Lab's Global Research and Analysis Team (GReAT). "Some of the cell names include "prn021a, gzn010a, wdk004, kbl027a, etc...". The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that's why only some older logs were discovered."
According to Kaspersky Lab, the attackers behind the platform have compromised computer networks in at least 14 countries around the world, including Iran, Russia and Germany.
More than half of the infections found by Symantec are in the Russian Federation (28 percent) and Saudi Arabia (24 percent). The primary victims uncovered so far include governments, financial institutions, telecom operators, research organizations, multinational political bodies and individuals involved in advanced mathematical/cryptographical research.
According to Symantec, 48 percent of the victims they observed were private individuals and small businesses. Twenty-eight percent were telecoms.
Researchers at Symantec say Regin has been active since at least 2008, with the earliest version the company is aware of being used between 2008 and 2011. A second version has been used from 2013 onwards, though it may have been used earlier. Both firms are still looking for the attack vector the hackers used initially to get in.
"The exact method used for the initial compromise remains a mystery, although several theories exist, including use of man-in-the-middle attacks with browser zero-day exploits," according to Kaspersky Lab's whitepaper. "For some of the victims we observed tools and modules designed for lateral movement."
"So far," the paper continues, "we have not encountered any exploits. The replication modules are copied to remote computers using Windows administrative shares and then executed. Obviously this technique requires administrative privileges inside the victim’s network. In several cases the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is a simple way of achieving immediate administrative access to the entire network."