[Cryptography] Belgian cryptography professor hacked
hbaker1 at pipeline.com
Tue Nov 25 16:33:34 EST 2014
At 01:22 PM 11/25/2014, Harald Hanche-Olsen wrote:
>Henry Baker wrote:
>>ENGLISH SUMMARY - Belgian professor in cryptography hacked
>>01/02/2014 om 08:00 door Mark Eeckhaut and Nikolas Vanhecke
>Look at the date. This is an old story. Moreover, it was discussed right here on this list at the time.
FYI -- "security researchers have found the massive digital spy tool used in all three attacks"
Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer
By Kim Zetter 11.24.14 8:59 am
It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion into the EUs legislative body was sophisticated and widespread and used a zero-day exploit to get in. Once the attackers established a stronghold on the network, they were in for the long haul. They scouted the network architecture for additional victims and covered their tracks well. Eventually, they infected numerous systems belonging to the European Commission and the European Council before being discovered.
Two years later another big target was hacked. This time it was Belgacom, the partly state-owned Belgian telecom. In this case, too, the attack was sophisticated and complex. According to published news reports and documents leaked by Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials to gain access to routers controlling the telecoms cellular network. Belgacom publicly acknowledged the hack, but has never provided details about the breach.
Then five months after that announcement, news of another high-profile breach emergedthis one another sophisticated hack targeting prominent Belgian cryptographer Jean-Jacques Quisquater.
Now it appears that security researchers have found the massive digital spy tool used in all three attacks. Dubbed Regin by Microsoft, more than a hundred victims have been found to date, but there are likely many others still unknown. Thats because the espionage toola malicious platform capable of taking over entire networks and infrastructureshas been around since at least 2008, possibly even earlier, and is built to remain stealth on a system for years.
The threat has been known since at least 2011, around the time the EU was hacked and some of the attack files made their way to Microsoft, who added detection for the component to its security software. Researchers with Kaspersky Lab only began tracking the threat in 2012, collecting bits and pieces of the massive threat. Symantec began investigating it in 2013 after some of its customers were infected. Putting together information from each, its clear the platform is highly complex and modulated and can be customized with a wide range of capabilities depending on the target and the attackers needs. Researchers have found 50 payloads so far for stealing files and other data, but have evidence that still more exist.
Its a threat that everyone has detected for some time, but no one has exposed [until now], says Eric Chien, technical director of Symantecs Security Technology and Response division.
The Most Sophisticated Spy Tool Yet
The researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to datemore complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet.
In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless, writes Symantec in its report about Regin.
Though no one is willing to speculate on the record about Regins source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA. Kaspersky confirms that Quisqater was infected with Regin, and other researchers familiar with the Belgacom attack have told WIRED that the description of Regin fits the malware that targeted the telecom, though the malicious files used in that attack were given a different name, based on something investigators found inside the platforms main file.
Victims are located in multiple countries. Kaspersky has found them in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Malaysia, Syria, Pakistan, Russia and the small Pacific island nation of Kiribati. The majority of victims Symantec has tracked are located in Russia and Saudi Arabia.
Targets include entire networks, not just individuals, among them telecoms in multiple countries, as well as government agencies, research institutes and academics (particularly those doing advanced mathematics and cryptography, like Quisquater). Symantec has also found hotels infected. These are likely targeted for their reservation systems, which can provide valuable intelligence about visiting guests.
But perhaps the most significant aspect of Regin is its ability to target GSM base stations of cellular networks. The malicious arsenal includes a payload that Kaspersky says was used in 2008 to steal the usernames and passwords of system administrators of a telecom somewhere in the Middle East. Armed with these credentials, the attackers would have been able to access GSM base station controllersthe part of a cellular network that controls transceiver stationsto manipulate the systems or even install malicious code to monitor cellular traffic. They could also conceivably have shut down the cellular networkfor example, during an invasion of the country or other unrest.
Kaspersky wont identify the telecom or country where this GSM attack hack occurred, but suggests its either Afghanistan, Iran, Syria or Pakistan, as out of Kasperskys list of countries with Regin infections, only these four are in the region popularly considered the Middle East. Afghanistan stands out among the four, having been the only one cited in recent news stories about government hacking of GSM networks. Although most authorities would place it in South Asia, it is often popularly identified as being part of the Middle East.
Earlier this year, news reports based on documents leaked by Edward Snowden revealed two NSA operations codenamed MYSTIC and SOMALGET that involved hijacking the mobile network of several countries to collect metadata on every mobile call to and from these nations and, in at least two countries, to covertly record and store the full audio of calls. The countries where metadata was collected were identified as Mexico, Kenya, the Philippines and the island nation of the Bahamas. Countries where full audio was being recorded were identified as the Bahamas and Afghanistan.
The Path to Discovery
The Regin platform made its first public appearance in 2009 when someone uploaded components of the tool to the VirusTotal web site. VirusTotal is a free web site that aggregates dozens of anti-virus scanners. Researchers, and anyone else who finds a suspicious file on their system, can upload the file to the site to see if the scanners consider it malicious.
No one apparently noticed this upload in 2009, however. It wasnt until March 9, 2011 that Microsoft appeared to take note, around the time that more files were uploaded to VirusTotal, and announced that the company had added detection for a trojan called Regin.A to its security software. The following day, it made the same announcement about a variant called Regin.B. Some in the security community believe the files uploaded to VirusTotal in 2011 might have come from the European Commission or from a security firm hired to investigate its breach.
Guido Vervaet, the EU Commissions director of security who helped investigate the breach, wouldnt discuss it other than to say it was quite extensive and very sophisticated, with a complex architecture. He says the attackers used a zero-day exploit to get in but wouldnt say what vulnerability they attacked. The attack was uncovered by system administrators only when systems began malfunctioning. Asked if the attackers used the same malware that struck Belgacom, Vervaet couldnt say for sure. It was not one piece of software; it was an architecture [that] was not just one component but a series of elements working together. We have analyzed the architecture of the attack, which was quite sophisticated and similar to other cases that we know of in other organizations but internally they were unable to come to any conclusion that it was the same attack or the same wrongdoers.
Vervaet wouldnt say when the intrusion began or how long the invaders had been in the EU network, but documents released by Snowden last year discussed NSA operations that had targeted the EU Commission and Council. Those documents were dated 2010.
There are currently two known versions of the Regin platform in the wild. Version 1.0 dates back to at least 2008 but disappeared in 2011 the same year Microsoft released signatures to detect its trojan. Version 2.0 popped up in 2013, though it may have been used earlier than this. Researchers have found some Regin files with timestamps dating to 2003 and 2006, though its not clear if the timestamps are accurate.
Liam OMurchu, senior manager in Symantecs threat response group, says the threat landscape in 2008 was much different than it is today and this likely contributed to Regin remaining stealth for so long. I dont think we realized attackers were working on this level until we saw things like Stuxnet and Duqu and we realized theyd been on this level for quite some time. Those discoveries prompted researchers to begin looking for threats in different ways.
Anatomy of a Massive Attack Machine
Its unclear how the first infections occur. Neither Symantec nor Kaspersky has uncovered a dropper component (a phishing email containing an exploit that drops the malware onto a machine or entices victims to click on a malicious link), but based on evidence in one attack from 2011, Symantec thinks the attackers might have used a zero-day vulnerability in Yahoo Instant Messenger. But Chien says the attackers probably used multiple techniques to get into different environments. Reports about the hack of Belgacom describe a more sophisticated man-in-the-middle technique that involved using a rogue server to hijack the browser of Belgacom system administrators and redirect them to web pages the attackers controlled that infected their machines with malware.
Regardless of how it first gets into a machine, the Regin attack unfolds in five stages. Stages one through three load the attack and configure its architecture, while stages four and five launch the payloads. Among the payload options are a remote access trojan that gives the attackers backdoor access to infected systems, a keystroke logger and clip board sniffer, a password sniffer, modules to collect information about USB devices connected to the infected system, and an email extraction module called U_STARBUCKS. Regin can also scan for deleted files and retrieve them.
The execution of components is orchestrated by an elaborate component that researchers have dubbed the conductor. This is the brain of the whole platform, says Costin Raiu, head of Kasperskys Global Research and Analysis Team.
Regin uses a nested decrypting technique, decrypting itself in stages, with the key for decrypting each component in the component that precedes it. This made it difficult for researchers to examine the threat in the beginning when they didnt have all of the components and all of the keys.
Regin also uses an unusual technique in some cases to hide its data, by storing it in the Extended Attributes portion of Windows. Extended Attributes is a storage area for metadata associated with files and directories, such as when a file was created or last altered or whether an executable program was downloaded from the internet (and therefore needs a prompt warning users before opening). Extended Attributes limits the size of data blocks it can store, so Regin splits the data it wants to store into separate encrypted chunks to hide them. When it needs to use this data, the conductor links the chunks together so they can execute like a single file.
The attackers also use a complex communication structure to manage the large scope of network-wide infections. Instead of communicating directly with the attackers command servers, each system talks only to other machines on the network and with a single node that acts as a hub to communicate with command servers. This reduces the amount of traffic leaving the network and the number of machines communicating with a strange server outside the network, which can draw suspicion. It also allows the attackers to communicate with systems inside the organization that might not even be connected to the internet.
Its Totally Crazy': The Middle-Eastern Hacks
The most elaborate and extensive infection Kaspersky saw that used this technique occurred in a Middle Eastern country the researchers decline to name. They call the infection mind-blowing and say in their report that it consisted of an elaborate web of networks the attackers infected and then linked together. These include networks for the office of the president of the country, a research center, an educational institute that from its name appears to be a mathematics institute, and a bank. In this case, instead of having each of the infected networks communicate with the attackerss command server individually, the attackers set up an elaborate covert communication web between them so that commands and information passed between them as if through a peer-to-peer network. All of the infected networks then interfaced with one system at the educational institute, which served as a hub for communicating with the attackers.
Its totally crazy, says Raiu.The idea is to have one single control mechanism for the whole country so they can just run one command, and that command is replicated between all the members on the peer-to-peer network.
The connections between infected machines and networks are encrypted, with each infected node using a public and private key to encrypt traffic exchanged between them.
Kaspersky refers to the educational institute as the Magnet of Threats because they found all sorts of other advanced threats infesting its networkincluding the well-known Mask malware and Turlaall co-existing peacefully with Regin.
But on par with this attack was one that occurred in another Middle East country against the GSM network of a large, unidentified telecom. The Kaspersky researchers say they found what appears to be an activity log the attackers used to collect commands and login credentials for one of the telecoms GSM base station controllers. The log, about 70 KB in size, contains hundreds of commands sent to the base station controller between April 25 and May 27 of 2008. Its unclear how many of the commands were sent by telecom administrators or by the attackers themselves in an attempt to control base stations.
The commands, which Kaspersky identified as Ericsson OSS MML commands, are used for checking the software version on a base station controller, retrieving a list of the call forwarding settings for the mobile station, enabling call forwarding, listing the transceiver route for a particular cell tower, activating and deactivating cell towers in the GSM network, and adding frequencies to the active list of frequencies used by the network. The log shows commands going to 136 different GSM cell sitescell sites with names like prn021a, gzn010a, wdk004, and kbl027a. In addition to commands, the log also shows usernames and passwords for the telecoms engineer accounts.
They found a computer that manages a base station controller, and that base station controller is able to reach out to hundreds of cells, says Raiu. He says there are two or three GSM operators in the targeted country and the one the attackers targeted is the largest. He doesnt know if the others were infected as well.
Both of these infectionstargeting the GSM network and the presidential networkappear to be ongoing. As news of the Regin attack spreads and more security firms add detection for it to their tools, the number of victims uncovered will no doubt grow.
More information about the cryptography