Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Kaspersky Labs responds to Regin criticism

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

December 5, 2014

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

Earlier this morning, Kaspersky Labs has responded to criticism from the IT industry that security vendors took a few years to discover the Regin virus, a recently discovered strain of ultra-sophisticated and probably state-sponsored spyware that is considered worse and more lethal than the Stuxnet Malware.

To be sure, Regin is a software framework rather than an individual malicious code sample. Security vendors have until recently only seen fragments of the virus, making analysis difficult.

Kaspersky Labs explained that the two-year delay in releasing information about the Regin cyberweapon by comparing its work to an investigation by police.

Internet security research-- unlike law enforcement investigations, requires meticulous scrutiny and analysis, and in most cases, it's imperative to watch the crime unfold in real-time to build a proper case.

In our view, without unlimited resources and the fact that we're tracking multiple APT actors simultaneously (Careto/Mask, EpicTurla, Darkhotel, Miniduke/Cosmicduke, to name a few), this becomes a process that takes months, even years, to gain a full understanding of a cyber-operation.

Sean Sullivan from F-Secure compares APT research to the work of paleontologists that find some bones of a dinosaur. Everyone may have a bone, but nobody has the full skeleton.

Kaspersky picks up this analogy and runs with it. "In the case of Regin, what we first discovered in 2012 was a slightly damaged bone from unknown part of a monster living in a mysterious mountain lake," the firm said in a blog post on its official Securelist blog.

The Russian security company goes on to firmly deny withholding information about and detections of Regin at the request of governments, customers or anyone else.

For its part, Security firm Symantec was the first to publish research about Regin around two weeks ago. The cyber espionage tool has been used for the past six years to spy on business and private targets.

Neither Kaspersky's or Symantec's denials are likely to silence either conspiracy theorists or anti-virus naysayers, of course. It's only possible to note that the offenders have a big advantage over defenders in cyber-espionage operations, and hug resources at their disposal, so the length of time taken to detect Regin is poor evidence of complicity between security software firms and cyber criminals.

There are precedents for the delay in releasing information about Regin, as Kaspersky Labs pointed out to us this morning.

Like Regin, sometimes we find that we had been detecting pieces of malware for several years before realizing that it was a part of global cyber-espionage campaign. One good example is the story of Red October. We had been detecting components of Red October long before we figured out that it was being used in targeted attacks against diplomatic, governmental and scientific research organizations.

Regin is most likely the work of an advanced nation state using multiple levels of encryption to obfuscate itself and other trickery in order to avoid detection.

Advanced functionality in Regin includes the ability to directly monitor mobile phone traffic, with Symantec reporting that about 28.4 percent of the samples seen attacked telecoms backbone infrastructure.

Once installed into a system, Regin can carry out a variety of nasty actions including capturing screenshots, monitor keystrokes, steal passwords and even recovering deleted files.

ISPs, energy companies, airlines and research-and-development labs are among its victims, just like Stuxnet.

What really marks the Regin platform out as something special is its ability to attack the GSM protocole and take over the management functions of mobile networks.

The attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator, according to Kaspersky Labs.

This gave attackers the access to information about which calls are processed by a particular cell tower, along with the ability to redirect these calls to other cells, activate neighbour cells and perform other offensive actions.

Samples of Regin were injected into systems at Belgian telecom frim Belgacom around 2010, and builds of the spyware has been circulating for at least six years.

Security firm G Data said it was aware of attacks on targets in at least eighteen other countries, including Germany, Russia, Syria and India.

The Belgacom link is evidence that GCHQ might have had a hand in its creation but this is a bit circumstantial and who created Regin still remains something of a mystery.

This and the fact that the modules are called LEGSPIN could be a diversionary tactic. What is curious is that none of the “Five Eyes” countries (Australia, Canada, New Zealand, the UK, and the United States) make an appearance in the list of victims.

Source: Kaspersky Labs.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer