Recently the Symantec Corporation uncovered a highly sophisticated, modular piece of malware that has been infecting computers in a variety of countries as far back as 2008. Backdoor.regin has characteristics beyond those of modern malware and is already generally accepted as a product of nation-state cyber espionage. The implant likely took considerable resources and time to create and has several stealth features including multiple levels of encryption and even anti-forensic capabilities, multiple attack vectors, custom surveillance tools, persistence. The works.
Phew! How do you even begin to prepare for a threat like that? What could you do tomorrow, or even in the next month, that could stop an attack of this nature? These are tough questions we often find ourselves addressing in the wake of such a discovery. Accounting for a threat of this magnitude starts with understanding who or what is a target and why. The answer may not be as onerous as you might think.
Before you have the IT staff pull an all-nighter sweeping dark corners of your networks for the backdoor.regin implant, let us first explore the nature of the threat and see if we can piece together some information that will help put this into a reasonable scope.
Backdoor.regin has been around for 6 years, possibly longer. It has been lurking in telecommunications infrastructure, airline databases, hospitality computers, and on “private individuals’” machines. This suggests that the nature of the targeting may not be business or industry-driven in a traditional sense but rather people-driven. The malware is able to track the movements of key personnel while traveling via airline, and staying in hotels in and around key events, as well as targeting home and work communications by monitoring infrastructure around targeted areas (i.e targeting service providers to gain access to targets in their customer base).
These types of activities, while scary and at the same time, impressive, do take a significant amount of resources to accomplish and maintain…Resources that have to be expended every time the technology landscape shifts or targets adopt new technologies. That combined with the fact that this malware has remained hidden this long means there is likely a strenuous target vetting/selection procedure that requires final approval from the state that is funding the project.
Finally some good news! When an organization pours that much time, effort, research, and development into a tool of this nature, it is sure to protect it. Point it in the right direction, so to speak. Symantec has reported a very low level of occurrences in the wild and a low geographical distribution rate as well. Long-term intelligence gathering tools like this are associated with state-sponsored objectives (i.e. foreign policy, defense strategy, military metrics, economic trends, terrorist activity, civil unrest, etc.).
WHAT YOU CAN DO
If you still think you may be a target of this type of activity, conducting a detailed review of network security policies and adoption of stringent Operational Security (OPSEC) guidelines will aid in mitigating the threat. Proper event logging, application accountability (whitelisting, blacklisting), disabling local administrative privileges, firewall implementation/ review, Intrusion Detection and Prevention Systems (IDS/IPS), SIEM, and, most importantly, user training, should be addressed first and foremost as these will be the foundation for forming an adequate OPSEC policy.
After hardening procedures have been implemented it is important to take an objective look at your organization’s digital footprint from the outside; through the eyes of an attacker.
- What types of critical information could an attacker use to exploit the business/organization? Where does that information reside and does it require additional security considerations?
- Which types of attackers would benefit from targeting this type of information? What is known about the capabilities of these types of targets?
- What are the high-risk applications, connections, technologies, etc? Know the likely target areas of your organization and monitor them closely.
- Have enough security controls been implemented, within reason, to deter, prevent, alert and manage the threat associated with data and the likely attackers?
- Once you have finalized the OPSEC procedures for your organization, make sure to disseminate appropriately and help employees understand its importance.
Take a proactive approach. Understand what your critical information assets are upfront and take the appropriate steps to secure them through risk management, networking hardening policies, and OPSEC. When you’ve done your homework, the next “flavor-of the-day” malware won’t send a panic through the IT department or keep you up at night.