Kaspersky Lab has responded to criticism that security vendors took years too long to spot Regin, a recently discovered strain of ultra-sophisticated (and probably state-sponsored) spyware.
Regin is a software framework rather than an individual malicious code sample. Security vendors have until recently only seen fragments of the whole, making analysis difficult. Kaspersky Lab explained the two-year delay in releasing info about the Regin cyberweapon by comparing its work to an investigation by police.
Security research - not unlike law enforcement investigations - requires meticulous scrutiny and analysis, and in many cases, it's important to watch the crime unfold in real-time to build a proper case. In our case, without unlimited resources and the fact that we're tracking multiple APT actors simultaneously (Careto/Mask, EpicTurla, Darkhotel, Miniduke/Cosmicduke, to name a few), this becomes a process that takes months, even years, to gain a full understanding of a cyber-operation.
Sean Sullivan from F-Secure compares APT research to the work of paleontologists that find some bones of a dinosaur. Everyone may have a bone, but nobody has the full skeleton.
Kaspersky picks up this analogy and runs with it. "In the case of Regin, what we first discovered in 2012 was a slightly damaged bone from unknown part of a monster living in a mysterious mountain lake," the firm said in a blog post on its official Securelist blog.
The Russian security firm goes on to firmly deny withholding information about and detections of Regin at the request of governments, customers or anyone else.
Security firm Symantec was the first to publish research about Regin around two weeks ago. The cyber espionage tool has been used for the past six years to spy on business and private targets.
As previously reported, Symantec has previously come out swinging at accusations it was tardy in releasing information about Regin. Neither Kaspersky's or Symantec's denials are likely to silence either conspiracy theorists or anti-virus naysayers, of course. It's only possible to note that the offenders have a big advantage over defenders in cyber-espionage operations, and huge resources at their disposal, so the length of time taken to detect Regin is poor evidence of complicity between security software firms and cyber-spies.
There are precedents for the delay in releasing information about Regin, as Kaspersky Lab points out.
Like Regin, sometimes we find that we had been detecting pieces of malware for several years before realizing that it was a part of global cyber-espionage campaign. One good example is the story of RedOctober. We had been detecting components of RedOctober long before we figured out that it was being used in targeted attacks against diplomatic, governmental and scientific research organisations.
Regin is most likely the work of an advanced nation state using multiple levels of encryption to obfuscate itself and other trickery in order to avoid detection, say securobods.
Advanced functionality in Regin includes the ability to directly monitor mobile phone traffic, with Symantec reporting that 28 per cent of the samples seen attacked telecoms backbone infrastructure.
Once installed into a computer, Regin can carry out a variety of malign actions – including capturing screenshots, monitor keystrokes, steal passwords and even recovering deleted files. ISPs, energy companies, airlines and research-and-development labs are among its victims.
What really marks the Regin platform out as something special is its ability to attack GSM and take over the management functions of mobile networks.
The attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator, according to Kaspersky Lab. This gave attackers the access to information about which calls are processed by a particular cell, along with the ability to redirect these calls to other cells, activate neighbour cells and perform other offensive actions.
Samples of Regin were injected into systems at Belgian telecoms outfit Belgacom around 2010, and builds of the spyware has been circulating for at least six years.
Security firm G Data said it was aware of attacks on targets in 18 countries, including Germany, Russia, Syria and India. The Belgacom link is evidence that GCHQ might have had a hand in its creation but this is a bit circumstantial and who created Regin remains something of a mystery. This and the fact that the modules are called LEGSPIN could be a diversionary tactic.
What is curious is that none of the “Five Eyes” countries (Australia, Canada, New Zealand, the UK, and the United States) make an appearance in the list of victims. ®