WikiLeaks’ “Vault 7” release appears to confirm that the U.S. National Security Agency (NSA) was behind the threat actor tracked as the “Equation Group.” Documents also show that the Central Intelligence Agency (CIA) learned from the NSA’s mistakes after its activities were exposed by security researchers.
Files allegedly obtained from a high-security CIA network provide details on the intelligence agency’s vast hacking capabilities. One of the files made available by WikiLeaks contains a discussion thread titled “What did Equation do wrong, and how can we avoid doing the same?”
The operations of the Equation Group and its links to the NSA were detailed by Kaspersky Lab in February 2015, and the discussion made public by WikiLeaks was initiated a few days later.
Participants in the discussion pointed out that one of the NSA’s biggest mistakes was that its tools shared code, including custom cryptography, giving researchers the data needed to connect different malware to the same group.
“The ‘custom’ crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems,” one user wrote.
In addition to using the same custom cryptographic algorithm, the CIA identified several other mistakes made by the NSA, including the reuse of exploits, use of internal tool names in the code, and the use of a unique mutex.
“All their tools shared code. The custom RC5 was everywhere. The techniques for positive ID (hashing) was used in the same way in multiple tools across generations,” another user said.
“The shared code appears to be the largest single factor is allowing [Kaspersky Lab] to tie all these tools together. The acquisition and use of C&C domains was probably number 2 on the list, and I’m sure the [Computer Operations Group] infrastructure people are paying attention to this.”
The Vault 7 files show that in addition to learning from the NSA’s mistakes, the CIA “borrowed” techniques from in-the-wild malware and tools, including Shamoon, UpClicker and the Nuclear exploit kit.
Security firms have started assessing the impact of the exposed hacking capabilities. WikiLeaks has not released any exploits, which makes it difficult to determine exactly what the CIA programs are capable of. However, at first sight, the intelligence agency’s tools don’t appear to be very sophisticated.
Related: “Shadow Brokers” Claim Hack of NSA-Linked Equation Group
Related: Over 840,000 Cisco Devices Affected by NSA-Linked Flaw
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
