Equation Group

Last updated
Equation Group
Type Advanced persistent threat
Location
Products Stuxnet, Flame, EternalBlue
Parent organization

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). [1] [2] [3] Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. [4] [5] Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali. [5]

Contents

The name originated from the group's extensive use of encryption. By 2015, Kaspersky documented 500 malware infections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of thousands due to its self-terminating protocol. [5] [6]

In 2017, WikiLeaks published a discussion held within the CIA on how it had been possible to identify the group. [7] One commenter wrote that "the Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools" used for hacking. [8]

Discovery

At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors. [9] The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming hard disk drive firmware. [4] Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group.

In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "GrayFish", had similarities to a previously discovered loader, "Gauss", [repository] from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in Stuxnet; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together". [10] :13

Firmware

They also identified that the platform had at times been spread by interdiction (interception of legitimate CDs sent by a scientific conference organizer by mail), [10] :15 and that the platform had the "unprecedented" ability to infect and be transmitted through the hard drive firmware of several major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat which would require access to the manufacturer's source code to achieve, [10] :16–18 and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on discussion forums. [10] :23–26

Codewords and timestamps

The NSA codewords "STRAITACID" and "STRAITSHOOTER" have been found inside the malware. In addition, timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 (8:00 AM - 5:00 PM) workday in an Eastern United States time zone. [11]

The LNK exploit

Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet's "privLib" in 2008. [12] Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain Windows operating systems and attempts to spread laterally via network connection or USB storage. [repository] Kaspersky stated that they suspect that the Equation Group has been around longer than Stuxnet, based on the recorded compile time of Fanny. [4]

The NSA's listing of its Tailored Access Operations program named IRATEMONK from the NSA ANT catalog. NSA IRATEMONK.jpg
The NSA's listing of its Tailored Access Operations program named IRATEMONK from the NSA ANT catalog.

F-Secure claims that the Equation Group's malicious hard drive firmware is TAO program "IRATEMONK", [13] one of the items from the NSA ANT catalog exposed in a 2013 Der Spiegel article. IRATEMONK provides the attacker with an ability to have their software application persistently installed on desktop and laptop computers, despite the disk being formatted, its data erased or the operating system re-installed. It infects the hard drive firmware, which in turn adds instructions to the disk's master boot record that causes the software to install each time the computer is booted up. [14] It is capable of infecting certain hard drives from Seagate, Maxtor, Western Digital, Samsung, [14] IBM, Micron Technology and Toshiba. [4]

2016 breach of the Equation Group

In August 2016, a hacking group calling itself "The Shadow Brokers" announced that it had stolen malware code from the Equation Group. [15] Kaspersky Lab noticed similarities between the stolen code and earlier known code from the Equation Group malware samples it had in its possession including quirks unique to the Equation Group's way of implementing the RC6 encryption algorithm, and therefore concluded that this announcement is legitimate. [16] The most recent dates of the stolen files are from June 2013, thus prompting Edward Snowden to speculate that a likely lockdown resulting from his leak of the NSA's global and domestic surveillance efforts stopped The Shadow Brokers' breach of the Equation Group. Exploits against Cisco Adaptive Security Appliances and Fortinet's firewalls were featured in some malware samples released by The Shadow Brokers. [17] EXTRABACON, a Simple Network Management Protocol exploit against Cisco's ASA software, was a zero-day exploit as of the time of the announcement. [17] Juniper also confirmed that its NetScreen firewalls were affected. [18] The EternalBlue exploit was used to conduct the damaging worldwide WannaCry ransomware attack.

See also

Related Research Articles

<span class="mw-page-title-main">Firmware</span> Low-level computer software

In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide hardware abstraction services to higher-level software such as operating systems. For less complex devices, firmware may act as the device's complete operating system, performing all control, monitoring and data manipulation functions. Typical examples of devices containing firmware are embedded systems, home and personal-use appliances, computers, and computer peripherals.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

Operation Red October or Red October was a cyberespionage malware program discovered in October 2012 and uncovered in January 2013 by Russian firm Kaspersky Lab. The malware was reportedly operating worldwide for up to five years prior to discovery, transmitting information ranging from diplomatic secrets to personal information, including from mobile devices. The primary vectors used to install the malware were emails containing attached documents that exploited vulnerabilities in Microsoft Word and Excel. Later, a webpage was found that exploited a known vulnerability in the Java browser plugin. Red October was termed an advanced cyberespionage campaign intended to target diplomatic, governmental and scientific research organizations worldwide.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

Duqu 2.0 is a version of malware reported in 2015 to have infected computers in hotels of Austria and Switzerland that were sites of the international negotiations with Iran over its nuclear program and economic sanctions. The malware, which infected Kaspersky Lab for months without their knowledge, is believed to be the work of Unit 8200. The New York Times alleges this breach of Kaspersky in 2014 is what allowed Israel to notify the US of Russian hackers using Kaspersky software to retrieve sensitive data.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router. The FBI believes that it was created by the Russian Fancy Bear group. In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter.

<span class="mw-page-title-main">Ang Cui</span> American computer scientist

Ang Cui is an American cybersecurity researcher and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City, a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.

Titanium is a very advanced backdoor malware APT, developed by PLATINUM, a cybercrime collective. The malware was uncovered by Kaspersky Lab and reported on 8 November 2019. According to Global Security Mag, "Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor at the final stage." Much of the sequence is hidden from detection in a sophisticated manner, including hiding data steganographically in a PNG image. In their announcement report, Kaspersky Lab concluded: "The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software. Regarding campaign activity, we have not detected any current activity [as of 8 November 2019] related to the Titanium APT."

Project Sauron, also named Remsec is a computer malware discovered in 2016. It has been spying computers at government and organizations for five years. It can steal encryption keys, collect information from air-gapped computers, and record someone’s keystrokes without being detected.

References

  1. Fox-Brewster, Thomas (February 16, 2015). "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes . Retrieved November 24, 2015.
  2. Menn, Joseph (February 17, 2015). "Russian researchers expose breakthrough U.S. spying program". Reuters . Retrieved November 24, 2015.
  3. "The nsa was hacked snowden documents confirm". The Intercept . 19 August 2016. Retrieved 19 August 2016.
  4. 1 2 3 4 GReAT (February 16, 2015). "Equation: The Death Star of Malware Galaxy". Securelist.com. Kaspersky Lab . Retrieved August 16, 2016. SecureList, Costin Raiu (director of Kaspersky Lab's global research and analysis team): "It seems to me Equation Group are the ones with the coolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."
  5. 1 2 3 Goodin, Dan (February 16, 2015). "How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last". Ars Technica . Retrieved November 24, 2015.
  6. Kirk, Jeremy (17 February 2015). "Destroying your hard drive is the only way to stop this super-advanced malware". PCWorld . Retrieved November 24, 2015.
  7. Goodin, Dan (7 March 2017). "After NSA hacking exposé, CIA staffers asked where Equation Group went wrong". Ars Technica . Retrieved 21 March 2017.
  8. "What did Equation do wrong, and how can we avoid doing the same?". Vault 7. WikiLeaks . Retrieved 21 March 2017.
  9. "Equation Group: The Crown Creator of Cyber-Espionage". Kaspersky Lab. February 16, 2015. Retrieved November 24, 2015.
  10. 1 2 3 4 "Equation Group: Questions and Answers (Version: 1.5)" (PDF). Kaspersky Lab. February 2015. Archived from the original (PDF) on February 17, 2015. Retrieved November 24, 2015.
  11. Goodin, Dan (March 11, 2015). "New smoking gun further ties NSA to omnipotent "Equation Group" hackers". Ars Technica. Retrieved November 24, 2015.
  12. "A Fanny Equation: "I am your father, Stuxnet"". Kaspersky Lab. February 17, 2015. Retrieved November 24, 2015.
  13. "The Equation Group Equals NSA / IRATEMONK". F-Secure Weblog : News from the Lab. February 17, 2015. Retrieved November 24, 2015.
  14. 1 2 Schneier, Bruce (January 31, 2014). "IRATEMONK: NSA Exploit of the Day". Schneier on Security. Retrieved November 24, 2015.
  15. Goodin, Dan (August 15, 2016). "Group claims to hack NSA-tied hackers, posts exploits as proof". Ars Technica. Retrieved August 19, 2016.
  16. Goodin, Dan (August 16, 2016). "Confirmed: hacking tool leak came from "omnipotent" NSA-tied group". Ars Technica. Retrieved August 19, 2016.
  17. 1 2 Thomson, Iain (August 17, 2016). "Cisco confirms two of the Shadow Brokers' 'NSA' vulns are real". The Register . Retrieved August 19, 2016.
  18. Pauli, Darren (August 24, 2016). "Equation Group exploit hits newer Cisco ASA, Juniper Netscreen". The Register . Retrieved August 30, 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.