Highly sophisticated and vile criminal Cyberterror Networks, Hardware and Software Mass Sabotage disguised as National Security.
Equation Group – TAO – NSA – APT – Highly Subversive Persistent Criminal Networks.
Type Advanced persistent threat
Location United States
National Security Agency
Tailored Access Operations
„Equation Group“ is an informal name for the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Classified as an advanced persistent threat, Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and „the most advanced … we have seen“, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.
The name Equation Group was chosen because of the group’s predilection for sophisticated encryption methods in their operations. By 2015, Kaspersky documented 500 malware infections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of thousands due to its self-terminating protocol.
In 2017, WikiLeaks published a discussion held within the CIA on how it had been possible to identify the group. One commenter wrote that „the Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools“ used for hacking.
At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab’s report, the group has been active since at least 2001, with more than 60 actors. The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming hard disk drive firmware. Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group.
Probable links to Stuxnet and the NSA
In 2015 Kaspersky’s research findings on the Equation Group noted that its loader, „Grayfish“, had similarities to a previously discovered loader, „Gauss“, from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in Stuxnet; the researchers concluded that „the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together“.
They also identified that the platform had at times been spread by interdiction (interception of legitimate CDs sent by a scientific conference organizer by mail), and that the platform had the „unprecedented“ ability to infect and be transmitted through the hard drive firmware of several of the major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat demanding access to the manufacturer’s source code of each to achieve,:16–18 and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on discussion forums.
Codewords and timestamps
The NSA codewords „STRAITACID“ and „STRAITSHOOTER“ have been found inside the malware. In addition, timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 workday in an Eastern United States timezone.
The LNK exploit
Kaspersky’s global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet’s „privLib“ in 2008. Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain Windows operating systems and attempts to spread laterally via network connection or USB storage. Kaspersky stated that they suspect that because of the recorded compile time of Fanny that the Equation Group has been around longer than Stuxnet.
Link to IRATEMONK
The NSA’s listing of its Tailored Access Operations program named IRATEMONK from the NSA ANT catalog.
F-Secure claims that the Equation Group’s malicious hard drive firmware is TAO program „IRATEMONK“, one of the items from the NSA ANT catalog exposed in a 2013 Der Spiegel article. IRATEMONK provides the attacker with an ability to have their software application persistently installed on desktop and laptop computers, despite the disk being formatted, its data erased or the operating system re-installed. It infects the hard drive firmware, which in turn adds instructions to the disk’s master boot record that causes the software to install each time the computer is booted up. It is capable of infecting certain hard drives from Seagate, Maxtor, Western Digital, Samsung, IBM, Micron Technology and Toshiba.
2016 breach of the Equation Group
In August 2016, a hacking group calling itself „The Shadow Brokers“ announced that it had stolen malware code from the Equation Group. Kaspersky Lab noticed similarities between the stolen code and earlier known code from the Equation Group malware samples it had in its possession including quirks unique to the Equation Group’s way of implementing the RC6 encryption algorithm, and therefore concluded that this announcement is legitimate. The most recent dates of the stolen files are from June 2013, thus prompting Edward Snowden to speculate that a likely lockdown resulting from his leak of the NSA’s global and domestic surveillance efforts stopped The Shadow Brokers‘ breach of the Equation Group. Exploits against Cisco Adaptive Security Appliances and Fortinet’s firewalls were featured in some malware samples released by The Shadow Brokers. EXTRABACON, a Simple Network Management Protocol exploit against Cisco’s ASA software, was a zero-day exploit as of the time of the announcement. Juniper also confirmed that its NetScreen firewalls were affected. The EternalBlue exploit was used to conduct the damaging worldwide WannaCry ransomware attack.“