Why nation-state malwares target Telco Networks: Dissecting technical capabilities of Regin and its counterparts

Presented at DEF CON 23 (2015), Aug. 9, 2015, 1 p.m. (60 minutes).

The recent research in malware analysis suggests state actors allegedly use cyber espionage campaigns against GSM networks. Analysis of state-sponsored malwares such like Flame, Duqu, Uruborus and the Regin revealed that these were designed to sustain long-term intelligence-gathering operations by remaining under the radar. Antivirus companies made a great job in revealing technical details of the attack campaigns, however, it exclusively has almost focused on the executables or the memory dump of the infected systems - the research hasn't been simulated in a real environment. GSM networks still use ancient protocols; Signaling System 7 (SS7), GPRS Tunneling Protocol (GTP) and the Stream Control Transmission Protocol (SCTP) which contain loads of vulnerable components. Malware authors totally aware of it and weaponing exploits within their campaigns to grab encrypted and unencrypted streams of private communications handled by the Telecom companies. For instance, Regin was developed as a framework that can be customized with a wide range of different capabilities, one of the most interesting ability to monitor GSM networks. In this talk, we are going to break down the Regin framework stages from a reverse engineering perspective - kernel driver infection scheme, virtual file system and its encryption scheme, kernel mode manager- while analyzing its behaviors on a GSM network and making technical comparison of its counterparts - such as TDL4, Uruborus, Duqu2.


Presenters:

  • Omer Coskun - Ethical Hacker with KPN REDteam, KPN (Royal Dutch Telecom)
    Omer works as an Ethical Hacker for KPN's (Royal Dutch Telecom) REDteam in Amsterdam, the Netherlands. He enjoys diving into lines of code to spot bugs, tinkering in front of the debugger and developing wise tactics/tools to break applications on his day to day work. Prior to joining KPN REDteam, Omer worked for companies like IBM ISS, Verizon and as an external government contractor. He holds an Honour's Engineering degree in Computer Science.

Links:

Similar Presentations: