
Regin: Nation-state ownage of GSM networks - ghosh
https://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/
======
pbsd
Curious; Symantec's report said the RC5 encryption was performed in CFB mode,
but this is not the case. Instead, we have a weird combination of CBC and CFB,
with CFB being used solely for the last block (instead of padding or
ciphertext-stealing). This has the look of seriously legacy code.

This seems to be a very old mode: I have trouble finding references to it with
less than 20 years. This mode is in [1, pg. 151] and [2, pg. 77], as far as I
can find, both of which were published in 1982. [2] also introduced ciphertext
stealing, albeit a bugged version [3, §6].

[1] [http://faculty.nps.edu/dedennin/publications/Denning-
Cryptog...](http://faculty.nps.edu/dedennin/publications/Denning-
CryptographyDataSecurity.pdf)

[2] [http://www.amazon.com/Cryptography-Dimension-Computer-
Securi...](http://www.amazon.com/Cryptography-Dimension-Computer-Security-A-
Implementation/dp/0471048925) [sorry, no PDF link]

[3]
[http://web.cs.ucdavis.edu/~rogaway/papers/steal.pdf](http://web.cs.ucdavis.edu/~rogaway/papers/steal.pdf)

------
rsync
How did they get to these GSM stations from the infected windows systems ?

Do BSC/BTS typically have IP-accessible configuration ?

Regardless of how they connected (I thought SS7 ...) wouldn't there be a login
to access the switch BSC controls ... how would the malware have that ?

I don't understand how the malware running on the windows system executed the
commands on the BSC.

~~~
gurtwo
The BSC has several interfaces. One of them is the APG, used for Operation &
Maintenance. It's a Windows module, accessible by IP. The APG serves as a
gateway to the node's core via MML (Man-Machine Language), the instructions to
operate the node.

~~~
rsync
So if you're running heavy equipment in a nuclear refining operation, you use
microsoft windows to run your heavy equipment (centrifuges).

If you're a mobile network operator, you use microsoft windows to access and
administer the base stations out in the field.

Pray tell: how important or sensitive does something have to be before someone
finally asks "hmm ... maybe we shouldn't use microsoft windows for this" ?

~~~
paralelogram
_If you 're a mobile network operator, you use microsoft windows to access and
administer the base stations out in the field._

It doesn't change much because the base station software probably has more
security bugs than Windows.

~~~
rdl
You don't normally browse random websites through the base station
administration software, though.

------
lotophage
The module names "legspin" and "willischeck" refer to the sport of Cricket.

~~~
AlyssaRowan
I don't think any of this is strictly cricket :-)

I didn't know about that relation for "willischeck", but since both NSA and
GCHQ have used this, while I don't recognise those covernames, I'm guessing
therefore those may well be Cheltenham's, whereas U_STARBUCKS
(UNITEDSTARBUCKS?) is probably Fort Meade's.

Newbies need a reminder about meaningless covernames. :-)

------
peterwwillis
> "Finally, the word 'shit' appears in many places throughout the code and
> modules."

Someone's boss is gonna be peeved! (Also, this would be a good indicator of a
native English speaker developing the software; I doubt most developers put
curse words into their code in a non-native language)

I don't find the GSM attacks unusual or interesting. Sure, it might be new for
an Internet worm, but government-sponsored orgs have been pushing attacks on
infrastructure like GSM networks since the L0pht days (though back then I
think satellites were more in vogue), and they're constantly looking for new
ways to infiltrate foreign networks of any type. This just shows someone's pet
research project from a decade ago made it out of the lab.

It's also interesting to note that while this is useful for nation-states,
they're not necessarily developed directly by a nation-state, and there could
be multiple organizations using the same malware package. One way to see
multiple independent actors using the same package would be to look for
different cryptographic keys, C&C servers, and discrete distributed victim-
networks.

------
willvarfar
I am surprised that the data files that are meant to be sent to the C&C aren't
encrypted with a public key so only the intended recipients can decrypt them.
This would thwart discovering what information had already been extracted
after an infection was discovered.

------
crishoj
The remarkable delay in reporting these findings is deliberate?

------
k-mcgrady
Normally reading something like this wouldn't interest me as it would be over
my head but I found this fascinating. Thanks for posting it. It sounds like
it's been known about for several years - why is it only being talked about
now?

------
rurban
So according to the timestamps it's pretty clear it's only the US, not UK nor
Israel, who developed this software.

~~~
k-mcgrady
Could you explain how you're coming to that conclusion?

~~~
SEJeff
The timestamps they found are more or less US business hours.

~~~
k-mcgrady
I thought that but I think it's a big assumption that these people work
business hours.

