US-CERT issues alert for Regin state-sponsored malware

The United States' Computer Emergency Readiness Team (US-CERT) has issued an alert to warn users about an advanced strain of malware that was this week revealed to have been used by the country's own spy agency.

The Regin advanced persistent threat (APT) was used against Belgian telco Belgacom and European Union staff computers by the UK's spy agency as well as the US National Securiry Agency, as revealed by the latter's former contractor, Edward Snowden. At the time, the name of the malware was not known.

First detailed by security and antivirus vendor Symantec, Regin is described by US-CERT as being able to "take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilisation".

While US-CERT said Regin has not been identified as targeting any organisations within the United States, it recommended users and administrators implement and maintain antivirus software, and also keep their operating systems and application software up to date.

Antivirus vendor Kaspersky conducted its own analysis [PDF] of the malware, noting that Regin was used to target telcos with GSM standard mobile networks for surveillance.

"The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations," Kaspersky wrote in its analysis of Regin.

Kaspersky discovered an encrypted virtual file system entry in Regin that related to an infection of an unnamed large GSM operator. The data appeared to be an activity log on a GSM Base Station Controller that allocates radio resources to mobile calls, and manages handovers between cell stations.

Regin was used to execute commands on 136 different GSM cells between April 2007 and May 2008, according to the log file Kaspersky found.

"Although all GSM networks have mechanisms embedded that allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and then abuse it to launch other types of attacks against mobile users," the Russian antivirus vendor said.

While Symantec's investigation picked up Regin samples from ten countries, Kaspersky discovered the malware in 14 nations. These include countries in the Pacific such as Kiribati and Fiji, as well as the South-East Asian nations of Malaysia and Indonesia.