Security Experts:

Connect with us

Hi, what are you looking for?



Report Connects Elite Hacking Group to NSA-Linked Cyberweapons

Capabilities of “Equation Group” Surpass Anything Known in Terms of Complexity and Sophistication of Cyber Attack Techniques

Capabilities of “Equation Group” Surpass Anything Known in Terms of Complexity and Sophistication of Cyber Attack Techniques

CANCUN, Mexico – KASPERSKY SECURITY ANALYST SUMMIT – Before Stuxnet and Flame even made ripples on the cybersecurity radar, there was a group working on sophisticated zero-day malware and cyber-attacks. This group, which combined sophisticated and complex attack tools with classic spying techniques, have been infecting victims worldwide in practically every industry sector since 2001, according to a new report from Kaspersky Lab.

“There are solid links indicating that the Equation Group has interacted with other powerful groups, such as the Stuxnet and Flame operators—generally from a position of superiority,” Kaspersky Lab researchers said in the report released at the company’s Security Analyst Summit in Cancun, Mexico on Monday.

The Equation Group uses complicated tools which were expensive to develop to infect victims, retrieve data, and hide activity in an “outstandingly professional way,” Kaspersky Lab researchers said.

The company estimates the Equation Group has infected thousands, “even tens of thousands,” of victims, in more than 30 countries worldwide, covering government and diplomatic institutions, Telecommunications, Aerospace, Energy, Nuclear research, Oil and Gas, Military, Nanotechnology, Islamic activists and scholars, Mass media, Transportation, Financial institutions and companies developing encryption technologies.

Map of Equation Group (NSA?) Targets

The Equation Group is a “threat actor that surpasses anything known in terms of complexity and sophistication of techniques,” Kaspersky Lab said. Considering the company has been monitoring more than 60 advanced threat actors responsible for cyber-attacks worldwide, that’s saying a lot.

The researchers stopped shy of saying the Equation Group was part of the United States National Security Agency (NSA). But the sheer amount of explosive evidence they laid out strongly implicates the secret spy agency.

The Equation Group is known for using physical means to infect users, such as targeting participants at a scientific conference by sending them a malware-infected CD in the mail and intercepting a Cisco Systems router in the mail to implant Trojans in the firmware.

The Equation Group library includes a highly advanced keylogger called “Grok.” In March, news reports from Snowden-leaked documents referenced a NSA-developed keylogger with the same name. And finally, there are references to “STRAITACID” and “STRAITSHOOTER” in the Equation Code’s source code which seems to echo “STRAITBIZARRE,” one of the most advanced malware platforms used by the NSA’s Tailored Access Operations unit.

The Equation Group also had access to zero-days before they were used by Stuxnet and Flame, and at some point, it shared exploits with other operators. Kaspersky Lab observed seven exploits used by the Equation group in their malware, of which at last four were used as zero-days. An unknown exploit—possibly a zero-day—was used against Firefox 17, which is used in the Tor browser.

Kaspersky Lab has identified some of the Trojans used to infect victims, including EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Fanny in 2008 used two zero-days which were later introduced into Stuxnet in June 2009 and March 2010. Kaspersky Lab had disclosed earlier that one of the zero-days used in Stuxnet was actually a module created for Flame.

The Fanny worm, whose main purpose was to map air-gapped networks, stands out from all the attacks performed by the Equation Group, the researchers found. The worm could understand the topology of a network that cannot be reached from the Internet, and to execute commands to these isolated systems. The worm used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks. The attackers could save commands in the hidden storage area on an infected USB stick, and when it was plugged into the target machine, Fanny was able to execute those commands.

Kaspersky Lab researchers were able to recover two modules which allowed the group to reprogram hard drive firmware of more than a dozen of the popular hard disk drive brands, including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate. The malware has an extreme level of persistence that helps to survive disk formatting and OS reinstallation.

“It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab. The malware could also create an invisible, persistent area hidden inside the hard drive to save exfiltrated information which can be later retrieved by the attackers. This means the attackers have the ability to capture the encryption password and save it into this hidden area, he said.

“It can resurrect itself forever,” Raiu said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.