Begin The Regin?
November 24th, 2014
The news about the Regin Trojan raises a number of questions for folks focused on financial services, even as the story is still developing. For all 1980s music lovers, it may also bring to mind the R.E.M. song “Begin The Begin”
If you’ve been on vacation or ignoring your favorite news app these past 48 hours, here’s the update: Symantec announced that a new and specialized piece of malware had been discovered, possessing considerable espionage-like surveillance mechanisms and capabilities. The technical competence of the authors continues to be the source of much industry pontification. Although I doubt we will still be talking about it in six months, except as possibly an appendage to stories that will forever mention the likes of Stuxnet, Duqu, Wiper, Shamoon, and Flame, here’s my take on what to remember about Regin:
- A Fascinating Geographical Layout – The first thing that jumps out at you when dig into Regin is that the impacted countries are simply not your typical who’s-who that one would find in most reports from the major security research firms. The likes of the US, Canada, the UK, France, Australia, Japan, Germany, and other major economies are simply absent (Ireland at 9% and Belgium & Austria accounting for another 10% in total hardly counts in my opinion!). Latin America is supposedly completely untouched, as well. Finally, the parts of APAC you would expect to be impacted (e.g. Greater China, Hong Kong, Australia, Singapore, Japan, etc.) are completely unaffected based on the Symantec analysis.
- It’s Ancient – No, I’m not referring to the ancient Norse myth of Regin (Reginn with two “n”s actually) but rather to the age of this malware. It is plain old. Very old. Some news reports have it pegged as far back as 2006, a lifetime and a half when it comes to malware families and their variants. Even if 2006 proves to be an exaggeration, 2008 or thereabouts is still a long time ago. Few families last that long. Which brings me to my next point …
- It Appears To Have Worked – That’s it … if it lasted this long without being detected, then boy oh boy it must be good and nimble. Granted, many of the countries impacted are not who one would typically associate as having top-notch information security infrastructures in place, but even despite that reality, for it to have gone on for so long unknown speaks to Regin’s strength and resilience.
- It’s Definitely Espionage … Not Financial Fraud – By all accounts, I agree with the mainstream media coverage that this was not some simple Eastern European cybercriminal ring, but rather the act of a nation-state. The reasons for this are numerous: (1) The fact that one stage hid the tracks of the previous stage. (2) A-to-Z encryption is unique for a Trojan that has existed for six or eight years; Trojan families from back then simply didn’t need to encrypt all of their communications nor cover their tracks so diligently. (3) Regin appears to have remained unknown and undetected until very recently (last December), raising the distinct possibility that it included auto-update features which is also a very ubiquitous capability these days, but not something which was common back in 2006, 2007, or 2008, when Regin apparently first appeared. (4) Fourth and finally, the fact that its command & control uses four different transport protocols (ICMP, UDP, TCP, and HTTP) also points to a high degree of sophistication that is not typical of a Trojan family from six or seven years ago.
The headlines warning of cyberattacks on critical infrastructure continue to appear. While I don’t anticipate Regin turning into the leading tip of the spear when it comes to 2015 cyber-threats, I do believe that it will prove to be another painful thorn in the side of any agency or organization looking to defend itself from unwanted intruders and adversaries, be they government-sponsored, hacktivism-inspired, or financial fraud-related.