Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Report Connects Elite Hacking Group to NSA-Linked Cyberweapons

Capabilities of “Equation Group” Surpass Anything Known in Terms of Complexity and Sophistication of Cyber Attack Techniques

Capabilities of “Equation Group” Surpass Anything Known in Terms of Complexity and Sophistication of Cyber Attack Techniques

CANCUN, Mexico – KASPERSKY SECURITY ANALYST SUMMIT – Before Stuxnet and Flame even made ripples on the cybersecurity radar, there was a group working on sophisticated zero-day malware and cyber-attacks. This group, which combined sophisticated and complex attack tools with classic spying techniques, have been infecting victims worldwide in practically every industry sector since 2001, according to a new report from Kaspersky Lab.

“There are solid links indicating that the Equation Group has interacted with other powerful groups, such as the Stuxnet and Flame operators—generally from a position of superiority,” Kaspersky Lab researchers said in the report released at the company’s Security Analyst Summit in Cancun, Mexico on Monday.

The Equation Group uses complicated tools which were expensive to develop to infect victims, retrieve data, and hide activity in an “outstandingly professional way,” Kaspersky Lab researchers said.

The company estimates the Equation Group has infected thousands, “even tens of thousands,” of victims, in more than 30 countries worldwide, covering government and diplomatic institutions, Telecommunications, Aerospace, Energy, Nuclear research, Oil and Gas, Military, Nanotechnology, Islamic activists and scholars, Mass media, Transportation, Financial institutions and companies developing encryption technologies.

Map of Equation Group (NSA?) Targets

The Equation Group is a “threat actor that surpasses anything known in terms of complexity and sophistication of techniques,” Kaspersky Lab said. Considering the company has been monitoring more than 60 advanced threat actors responsible for cyber-attacks worldwide, that’s saying a lot.

The researchers stopped shy of saying the Equation Group was part of the United States National Security Agency (NSA). But the sheer amount of explosive evidence they laid out strongly implicates the secret spy agency.

The Equation Group is known for using physical means to infect users, such as targeting participants at a scientific conference by sending them a malware-infected CD in the mail and intercepting a Cisco Systems router in the mail to implant Trojans in the firmware.

Advertisement. Scroll to continue reading.

The Equation Group library includes a highly advanced keylogger called “Grok.” In March, news reports from Snowden-leaked documents referenced a NSA-developed keylogger with the same name. And finally, there are references to “STRAITACID” and “STRAITSHOOTER” in the Equation Code’s source code which seems to echo “STRAITBIZARRE,” one of the most advanced malware platforms used by the NSA’s Tailored Access Operations unit.

The Equation Group also had access to zero-days before they were used by Stuxnet and Flame, and at some point, it shared exploits with other operators. Kaspersky Lab observed seven exploits used by the Equation group in their malware, of which at last four were used as zero-days. An unknown exploit—possibly a zero-day—was used against Firefox 17, which is used in the Tor browser.

Kaspersky Lab has identified some of the Trojans used to infect victims, including EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Fanny in 2008 used two zero-days which were later introduced into Stuxnet in June 2009 and March 2010. Kaspersky Lab had disclosed earlier that one of the zero-days used in Stuxnet was actually a module created for Flame.

The Fanny worm, whose main purpose was to map air-gapped networks, stands out from all the attacks performed by the Equation Group, the researchers found. The worm could understand the topology of a network that cannot be reached from the Internet, and to execute commands to these isolated systems. The worm used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks. The attackers could save commands in the hidden storage area on an infected USB stick, and when it was plugged into the target machine, Fanny was able to execute those commands.

Kaspersky Lab researchers were able to recover two modules which allowed the group to reprogram hard drive firmware of more than a dozen of the popular hard disk drive brands, including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate. The malware has an extreme level of persistence that helps to survive disk formatting and OS reinstallation.

“It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab. The malware could also create an invisible, persistent area hidden inside the hard drive to save exfiltrated information which can be later retrieved by the attackers. This means the attackers have the ability to capture the encryption password and save it into this hidden area, he said.

“It can resurrect itself forever,” Raiu said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...