{
	"id": "bd31ecc6-fbcb-4c2d-9ad4-a0fde474b6ec",
	"created_at": "2026-04-06T00:19:59.585995Z",
	"updated_at": "2026-04-10T03:23:38.826195Z",
	"deleted_at": null,
	"sha1_hash": "6ea60064143b3ff468e15d39b16ac5932d6fc84c",
	"title": "Regin APT Attacks Among the Most Sophisticated Ever Analyzed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 627573,
	"plain_text": "Regin APT Attacks Among the Most Sophisticated Ever Analyzed\r\nBy Brian Donohue\r\nPublished: 2014-11-25 · Archived: 2026-04-05 16:05:09 UTC\r\nNearly every organization involved in the business of tracking advanced persistent threat campaigns is talking\r\nabout a new highly sophisticated attack platform called “Regin” (pronounced: reɪ*ɡən – like the former U.S.\r\npresident). The general consensus is that Regin is the work of a well-funded nation-state, though it’s impossible to\r\npoint a finger at any particular country and blame them with certainty.\r\nIt would appear as though a number of individuals and organizations had been keeping dossiers on Regin, because\r\nas soon as Symantec issued their first version of the report over the weekend, other reports began streaming out,\r\nadding to the initial findings. More than one company and more than one researcher – including Kaspersky Lab’s\r\nGlobal Research and Analysis Team – have called this the most sophisticated attack campaign ever analyzed.\r\nAccording to Kaspersky Lab’s findings, the Regin APT campaign targets telecom operators, government\r\ninstitutions, multi-national political bodies, financial and research institutions and individuals involved in\r\nadvanced mathematics and cryptography. The attackers seem to be primarily interested in gathering intelligence\r\nand facilitating other types of attacks. While much of the intelligence gathered includes spying on emails and\r\ndocuments, the attack group also relentlessly targets telecommunication companies, which is normal, and at least\r\none GSM provider, which is not so normal.\r\nGSM stands for Global System for Mobile Communications. It’s a standard for cellular communications between\r\nmobile phones. The best way to think of GSM is as the second generation (2G) of mobile communication\r\ntechnologies—the predecessor of 3G and 4G networks. However, according to reports, GSM is the default\r\nstandard for mobile networks used by the majority of telecoms. It’s available in more than 219 countries and\r\nterritories and it demands a 90 percent share of the mobile telecom market.\r\nThey could have had access to information about which calls are processed by a particular cell, then redirected\r\nthese calls to other cells, activated neighbor cells and performed other offensive activities.\r\n“The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting\r\naspect of these operations,” Kaspersky Lab’s Global Research and Analysis Team reported yesterday. “In today’s\r\nworld, we have become too dependent on mobile phone networks which rely on ancient communication protocols\r\nwith little or no security available for the end user. Although all GSM networks have mechanisms embedded\r\nwhich allow entities such as law enforcement to track suspects, there are other parties which can gain this ability\r\nand further abuse them in order to launch other types of attacks against mobile users.”\r\nThe attackers were able to steal credentials from an internal GSM Base Station Controller belonging to a large\r\ntelecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. My\r\nThreatpost colleague, Mike Mimoso, noted that Base Station Controllers manage calls as they move along a\r\nmobile network, allocating resources and mobile data transfers.\r\nhttps://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/\r\nPage 1 of 3\n\n“This means that they could have had access to information about which calls are processed by a particular cell,\r\nredirected these calls to other cells, activated neighbor cells and performed other offensive activities,” Kaspersky\r\nLab researchers wrote. “At the present time, the attackers behind Regin are the only ones known to have been\r\ncapable of preforming such operations.”\r\nIn other words, the Regin actors can not only passively monitor cellular communications metadata, but they can\r\nalso actively reroute cellular calls from one number to another.\r\n#Regin #APT targets the usual victims plus a famed cryptographer and the GSM standard, according to\r\n@Kaspersky\r\nTweet\r\nAnother bizarre and curious aspect of the Regin attack group is the story of a famed Belgian cryptographer and\r\nmathematician named Jean-Jacques Quisquater. In February of this year, reports began emerging that Quisquater’s\r\npersonal computer had been hacked six months earlier. While it isn’t unusual for prominent academics to be\r\ntargeted in cyberattacks, the case of Quisquater was slightly different because of some similarities between the\r\nattack that targeted his machine and a separate attack that targeted the Belgian telecom, Belgacom.\r\nThe latter incident was the subject of an Edward Snowden revelation claiming that the NSA and its British\r\ncounterpart, GCHQ, had orchestrated the attack. Of course, many media outlets have alleged that these similarities\r\ndo suggest that U.S. and British intelligence were behind both attacks. While neither Kaspersky Daily nor\r\nKaspersky Lab will cosign those allegations, it was reported by a number of news outlets at the time and is worth\r\nmentioning.\r\nIn addition to the story of Quisquater and the fact that it targets GSMs, the Regin attack platform also boasts\r\nincredible technical sophistication, particularly in its pervasiveness. The attackers established backdoors with their\r\ncommand infrastructure to ensure inconspicuous persistence on the networks of their victims. All of the\r\ncampaign’s communication traffic was encrypted to make sure attacks weren’t observed, both between the\r\nattackers and their control servers and between the victim’s machines and the attack infrastructure.\r\nMost of Regin’s communications occur between infected machines – dubbed ‘communication drones’ – on the\r\nvictim’s network. The reason for this is twofold: it allows for deep access while also limiting the amount of data\r\nexiting the network en route to a command and control server. When you see data leaving your network and\r\ntraveling to an unknown network, that raises alarms. So this in-network, peer-to-peer communication makes it\r\nmore difficult for network monitors to realize an attack is occurring.\r\nhttps://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/\r\nPage 2 of 3\n\nIn one unnamed Middle Eastern country, every single victimized network identified by Kaspersky lab,\r\ncommunicates with all of the other networks in a sort of peer-to-peer structure. The network included the\r\npresident’s office, a research center, an educational institution’s network and a bank. One of the victims contains a\r\ntranslation drone that is able to forward the stolen data packets outside of the country, to the command and control\r\nserver located in India.\r\n“This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very few\r\nsuspicions,” researchers wrote. “For instance, if all commands to the president’s office are sent through the bank’s\r\nnetwork, then all of the malicious traffic that is visible to the president’s office’s sysadmins will only be with the\r\nbank, in the same country.”\r\nRegin is deployed in five stages, giving the attackers deep access to a victimized network as each stage loads\r\nsubsequent parts of the attack. Modules in the first stage contain the only executable stored on the victim’s\r\ncomputer, and they’re all signed with phony Microsoft and Broadcom digital certificates in order to seem\r\nlegitimate.\r\nKaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and\r\nRootkit.Win32.Regin. Kaspersky Lab has also released a full-length technical paper if you would like to dig a bit\r\ndeeper.\r\nSource: https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/\r\nhttps://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/"
	],
	"report_names": [
		"6852"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434799,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ea60064143b3ff468e15d39b16ac5932d6fc84c.pdf",
		"text": "https://archive.orkl.eu/6ea60064143b3ff468e15d39b16ac5932d6fc84c.txt",
		"img": "https://archive.orkl.eu/6ea60064143b3ff468e15d39b16ac5932d6fc84c.jpg"
	}
}