Connect with us

Hi, what are you looking for?


Malware & Threats

‘Regin’ Attack Platform Targeted GSM Networks

The layers of the Regin cyber-attack platform are just beginning to be pulled back. One of those layers gives attackers the means to penetrate and monitor GSM base station controllers.

The layers of the Regin cyber-attack platform are just beginning to be pulled back. One of those layers gives attackers the means to penetrate and monitor GSM base station controllers.

GSM (Global System for Mobile Communications) is a widely used standard for mobile networks. As part of its investigation, Kaspersky Lab examined the activity log of a GSM base station controller and discovered that attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator.

This means the attackers could have had access to information about what calls are being processed by a particular cell, redirect those calls to other cells, activate neighbor cells and perform other offensive actions, the researchers found. According to Kaspersky Lab, no other attacks are known to have been capable of those types of operations.

“The ability to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations,” the Kaspersky Lab researchers note in a whitepaper describing the platform. “In today’s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, other parties can hijack this ability and abuse it to launch different attacks against mobile users.”

Advertisement. Scroll to continue reading.

Over the course of a single month in April 2008, the attackers collected administrative credentials that would allow them to manipulate a GSM network in a Middle Eastern country. Regin allowed the attackers to issue a number of commands on the base station controller, including: ‘rxmop’, which enables them to check the software version type; ‘rxmsp’ to list the current call forwarding settings of the Mobile Station; and ‘rlstc’ to stop cells in the GSM network.

“In total, the log indicates that commands were executed on 136 different cells,” according to Kaspersky Lab’s Global Research and Analysis Team (GReAT). “Some of the cell names include “prn021a, gzn010a, wdk004, kbl027a, etc…”. The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that’s why only some older logs were discovered.”

According to Kaspersky Lab, the attackers behind the platform have compromised computer networks in at least 14 countries around the world, including Iran, Russia and Germany.

More than half of the infections found by Symantec are in the Russian Federation (28 percent) and Saudi Arabia (24 percent). The primary victims uncovered so far include governments, financial institutions, telecom operators, research organizations, multinational political bodies and individuals involved in advanced mathematical/cryptographical research.

According to Symantec, 48 percent of the victims they observed were private individuals and small businesses. Twenty-eight percent were telecoms.

Researchers at Symantec say Regin has been active since at least 2008, with the earliest version the company is aware of being used between 2008 and 2011. A second version has been used from 2013 onwards, though it may have been used earlier. Both firms are still looking for the attack vector the hackers used initially to get in.

“The exact method used for the initial compromise remains a mystery, although several theories exist, including use of man-in-the-middle attacks with browser zero-day exploits,” according to Kaspersky Lab’s whitepaper. “For some of the victims we observed tools and modules designed for lateral movement.”

“So far,” the paper continues, “we have not encountered any exploits. The replication modules are copied to remote computers using Windows administrative shares and then executed. Obviously this technique requires administrative privileges inside the victim’s network. In several cases the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is a simple way of achieving immediate administrative access to the entire network.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...