Cyber criminals are using a new malware — Regin — to penetrate and monitor GSM networks in India and other countries including Pakistan, Brazil, Germany and Russia, security researchers have said.
Regin is being used to target telecom operators, governments, financial institutions, research organisations, multinational political bodies and individuals involved in advanced mathematical/cryptographical research, they said.
Security solutions firm Kaspersky Lab said some of the earliest samples of Regin appear to have been created as early as 2003.
“Regin is aimed at gathering confidential data from attacked networks and performing several other types of attacks ... attackers turned compromised organisations in one vast unified victim and were able to send commands and steal the information via a single entry point,” Kaspersky said.
This structure allowed the actor to operate silently for years without raising suspicions, it added.
“The ability to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations,” Kaspersky Lab Director of Global Research and Analysis Team Costin Raiu said.
Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, other parties can hijack this ability and abuse it to launch different attacks against mobile users, Raiu added.
Post attack, attackers could have access to information about which calls are processed by a particular cell site, redirect calls to other cells, activate neighbour cells and perform other offensive activities.
According to another security solutions provider Symantec, Regin bears the “hallmarks of a state-sponsored operation” and is believed to have been in use since at least 2008.
“It is built on a framework that is designed to sustain long-term intelligence-gathering operations by remaining under the radar,” Symantec said in a whitepaper.
Regin goes to extraordinary lengths to conceal itself and its activities on compromised computers and the sophistication and complexity suggests it could have taken well—resourced teams of developers many months or years to develop and maintain, it added.
Symantec found that almost half of all infections targeted private individuals and small businesses (48 per cent), followed by telecom companies (28 per cent), hospitality (nine per cent) and others.
In terms of geography, Russian Federation accounted for 28 per cent of the infections, Saudi Arabia (24 per cent), Mexico and Ireland (9 per cent each), India, Afghanistan and Pakistan (5 per cent each).