Capabilities of “Equation Group” Surpass Anything Known in Terms of Complexity and Sophistication of Cyber Attack Techniques
CANCUN, Mexico – KASPERSKY SECURITY ANALYST SUMMIT – Before Stuxnet and Flame even made ripples on the cybersecurity radar, there was a group working on sophisticated zero-day malware and cyber-attacks. This group, which combined sophisticated and complex attack tools with classic spying techniques, have been infecting victims worldwide in practically every industry sector since 2001, according to a new report from Kaspersky Lab.
“There are solid links indicating that the Equation Group has interacted with other powerful groups, such as the Stuxnet and Flame operators—generally from a position of superiority,” Kaspersky Lab researchers said in the report released at the company’s Security Analyst Summit in Cancun, Mexico on Monday.
The Equation Group uses complicated tools which were expensive to develop to infect victims, retrieve data, and hide activity in an “outstandingly professional way,” Kaspersky Lab researchers said.
The company estimates the Equation Group has infected thousands, “even tens of thousands,” of victims, in more than 30 countries worldwide, covering government and diplomatic institutions, Telecommunications, Aerospace, Energy, Nuclear research, Oil and Gas, Military, Nanotechnology, Islamic activists and scholars, Mass media, Transportation, Financial institutions and companies developing encryption technologies.
The Equation Group is a “threat actor that surpasses anything known in terms of complexity and sophistication of techniques,” Kaspersky Lab said. Considering the company has been monitoring more than 60 advanced threat actors responsible for cyber-attacks worldwide, that’s saying a lot.
The researchers stopped shy of saying the Equation Group was part of the United States National Security Agency (NSA). But the sheer amount of explosive evidence they laid out strongly implicates the secret spy agency.
The Equation Group is known for using physical means to infect users, such as targeting participants at a scientific conference by sending them a malware-infected CD in the mail and intercepting a Cisco Systems router in the mail to implant Trojans in the firmware.
The Equation Group library includes a highly advanced keylogger called “Grok.” In March, news reports from Snowden-leaked documents referenced a NSA-developed keylogger with the same name. And finally, there are references to “STRAITACID” and “STRAITSHOOTER” in the Equation Code’s source code which seems to echo “STRAITBIZARRE,” one of the most advanced malware platforms used by the NSA’s Tailored Access Operations unit.
The Equation Group also had access to zero-days before they were used by Stuxnet and Flame, and at some point, it shared exploits with other operators. Kaspersky Lab observed seven exploits used by the Equation group in their malware, of which at last four were used as zero-days. An unknown exploit—possibly a zero-day—was used against Firefox 17, which is used in the Tor browser.
Kaspersky Lab has identified some of the Trojans used to infect victims, including EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Fanny in 2008 used two zero-days which were later introduced into Stuxnet in June 2009 and March 2010. Kaspersky Lab had disclosed earlier that one of the zero-days used in Stuxnet was actually a module created for Flame.
The Fanny worm, whose main purpose was to map air-gapped networks, stands out from all the attacks performed by the Equation Group, the researchers found. The worm could understand the topology of a network that cannot be reached from the Internet, and to execute commands to these isolated systems. The worm used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks. The attackers could save commands in the hidden storage area on an infected USB stick, and when it was plugged into the target machine, Fanny was able to execute those commands.
Kaspersky Lab researchers were able to recover two modules which allowed the group to reprogram hard drive firmware of more than a dozen of the popular hard disk drive brands, including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate. The malware has an extreme level of persistence that helps to survive disk formatting and OS reinstallation.
“It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab. The malware could also create an invisible, persistent area hidden inside the hard drive to save exfiltrated information which can be later retrieved by the attackers. This means the attackers have the ability to capture the encryption password and save it into this hidden area, he said.
“It can resurrect itself forever,” Raiu said.