Kaspersky Labs responds to Regin criticism
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
December 5, 2014
Earlier this morning, Kaspersky Labs has responded to criticism from the IT industry that security vendors took a few years to discover the Regin virus, a recently discovered strain of ultra-sophisticated and probably state-sponsored spyware that is considered worse and more lethal than the Stuxnet Malware.
To be sure, Regin is a software framework rather than an individual malicious code sample. Security vendors have until recently only seen fragments of the virus, making analysis difficult.
Kaspersky Labs explained that the two-year delay in releasing information about the Regin cyberweapon by comparing its work to an investigation by police.
Internet security research-- unlike law enforcement investigations, requires meticulous scrutiny and analysis, and in most cases, it's imperative to watch the crime unfold in real-time to build a proper case.
In our view, without unlimited resources and the fact that we're tracking multiple APT actors simultaneously (Careto/Mask, EpicTurla, Darkhotel, Miniduke/Cosmicduke, to name a few), this becomes a process that takes months, even years, to gain a full understanding of a cyber-operation.
Sean Sullivan from F-Secure compares APT research to the work of paleontologists that find some bones of a dinosaur. Everyone may have a bone, but nobody has the full skeleton.
Kaspersky picks up this analogy and runs with it. "In the case of Regin, what we first discovered in 2012 was a slightly damaged bone from unknown part of a monster living in a mysterious mountain lake," the firm said in a blog post on its official Securelist blog.
The Russian security company goes on to firmly deny withholding information about and detections of Regin at the request of governments, customers or anyone else.
For its part, Security firm Symantec was the first to publish research about Regin around two weeks ago. The cyber espionage tool has been used for the past six years to spy on business and private targets.
Neither Kaspersky's or Symantec's denials are likely to silence either conspiracy theorists or anti-virus naysayers, of course. It's only possible to note that the offenders have a big advantage over defenders in cyber-espionage operations, and hug resources at their disposal, so the length of time taken to detect Regin is poor evidence of complicity between security software firms and cyber criminals.
There are precedents for the delay in releasing information about Regin, as Kaspersky Labs pointed out to us this morning.
Like Regin, sometimes we find that we had been detecting pieces of malware for several years before realizing that it was a part of global cyber-espionage campaign. One good example is the story of Red October. We had been detecting components of Red October long before we figured out that it was being used in targeted attacks against diplomatic, governmental and scientific research organizations.
Regin is most likely the work of an advanced nation state using multiple levels of encryption to obfuscate itself and other trickery in order to avoid detection.
Advanced functionality in Regin includes the ability to directly monitor mobile phone traffic, with Symantec reporting that about 28.4 percent of the samples seen attacked telecoms backbone infrastructure.
Once installed into a system, Regin can carry out a variety of nasty actions including capturing screenshots, monitor keystrokes, steal passwords and even recovering deleted files.
ISPs, energy companies, airlines and research-and-development labs are among its victims, just like Stuxnet.
What really marks the Regin platform out as something special is its ability to attack the GSM protocole and take over the management functions of mobile networks.
The attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator, according to Kaspersky Labs.
This gave attackers the access to information about which calls are processed by a particular cell tower, along with the ability to redirect these calls to other cells, activate neighbour cells and perform other offensive actions.
Samples of Regin were injected into systems at Belgian telecom frim Belgacom around 2010, and builds of the spyware has been circulating for at least six years.
Security firm G Data said it was aware of attacks on targets in at least eighteen other countries, including Germany, Russia, Syria and India.
The Belgacom link is evidence that GCHQ might have had a hand in its creation but this is a bit circumstantial and who created Regin still remains something of a mystery.
This and the fact that the modules are called LEGSPIN could be a diversionary tactic. What is curious is that none of the “Five Eyes” countries (Australia, Canada, New Zealand, the UK, and the United States) make an appearance in the list of victims.
Source: Kaspersky Labs.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!