We will be updating this page with new information as it becomes available, so please check back regularly.
What is the threat?
Regin is a complex intelligence-gathering tool which has been engaged in long term systematic data collection and surveillance activities against government organisations, infrastructure operators, businesses, academics, and private individuals. Regin uses advanced techniques and goes to extraordinary lengths to conceal itself on compromised computers to remain under the radar. There are 2 versions; Version 1.0 which appears to have been used from at least 2008 to 2011 and version 2.0 has been used from 2013 onwards.
What does it do?
It acts as a spying tool framework that the operators can customise for the organisation, system or data they’re targeting. There are dozens of known payloads and others may exist. Examples of known modules include:
- Parsing of email from Microsoft Exchange databases
- Password stealing
- UI manipulation (remote mouse point & click activities, capturing screenshots, etc.)
- Process and memory information gathering
- Low level forensics capabilities (for example, retrieving files that were deleted)
- Low level network traffic sniffing
- Data exfiltration through various channels (TCP, UDP, ICMP, HTTP)
- Sniffer for GSM base station controller administration network traffic
The infection can occur in a variety of ways depending on the target. A reproducible infection process is unconfirmed at the time of publish. The attack may begin by a user being tricked into visiting spoofed or compromised versions of well-known websites. The threat may be installed via a web browser vulnerability or by exploiting an application. One example of a successful attack shows Regin originating through a well-known instant messenger application.
To date Symantec has observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities and research institutes.
What should I do next?
All organisations and individuals should continue to ensure that their security solutions are up to date and their applications are regularly patched. In addition, organisations should consider their stance for dealing with advanced threats and may want to adopt a broader Cyber Resilience program