Regin, United States intelligence gathering agency NSA and its British counterpart the GCHQ’s trade craft, is a sophisticated spying tool used to collect information from corporations, institutions, academics and government individuals around the world.
It has a multi-stage design with the purpose of enabling modularization in a real smooth way. The functionality of this six-stage tool is quiet basic in the prior stages but extends up to specific attacks utilizing very well-equipped units. The Units allow for in-the-field updates of specific functionality or easy deployment of extensions when necessary.
The espionage malware is built on a Service Oriented Architecture (SOA) where modules are plugged according to the operation purpose. Such modules are generally not self-activated; they require a specific context and commands to exhibit their behavior. Facing such malware, analyst usually fallback on static analysis and toolkit development to decode and decrypt adversary data saved with the malware.
The first challenge in reverse engineering Regin is its Service Oriented Architecture (SOA). Such type of architecture is made up of modules which talk with one another via Remote Procedure Calls (RPC). Modules communicate either locally inside a single instance or remotely over the global botnet. This architecture enables work distribution over instances making it easier to operate a large network of probes collecting information.
In 2013, documents from US National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. After a while, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”
Media and Press around the world have addressed and analyzed different aspects this complex operation. Besides, cyber security firms like Kaspersky Lab and Symantec have published full-length reports including an elaboration of a thorough look into the architecture and behavior of Regin. However, there still exist dark sides of its mechanism. As a case in point, 64-bit version of this malware can be addressed that only a small amount of the files have been recovered and identified.
How could US and UK officials keep silent while one of the biggest operations in the world was crafted by their own agents? Cyberspace is not an obscure domain anymore since many eastern countries have developed excessively on order to trace these nasty operations. The time is over for US and its allies to report diversion strategies so as to cloud public opinion’s judgment. It’s time for Western countries to take the fall for their cybercrimes, stop disinforming global community and bear in mind that they have many skeletons in the closet.