The Equation Group shows most complex and sophisticated hacking techniques ever seen

Pierluigi Paganini February 17, 2015

Experts at Kaspersky Lab revealed that the capabilities of the Equation Group Surpass anything known in terms of sophistication of hacking techniques.

Security experts at Kaspersky revealed the existence of a hacking group operating since 2001 that targeted practically every industry with  sophisticated zero-day malware.

According to a new report from Kaspersky Lab, this group, dubbed the Equation Group, combined sophisticated and complex Tactics, Techniques, and Procedures. In the arsenal of the hacking crew there were sophisticated tools that according to the experts requested a significant effort term of development, Kaspersky sustains that the Equation Group has also interacted with operators behind Stuxnet and Flame. Based on the elements collected on the various cyber espionage campaigns over the years, the experts hypothesize that the National Security Agency (NSA) could be linked to the Equation Group.

“There are solid links indicating that the Equation Group has interacted with other powerful groups, such as the Stuxnet and Flame operators—generally from a position of superiority,” states the report released at by Kaspersky during the company’s Security Analyst Summit in Cancun, Mexico on Monday.

The researchers explained that the Equation Group is a “threat actor that surpasses anything known in terms of complexity and sophistication of techniques,”.

It is singular that the Equation Group also had access to zero-days before they were used by operators behind Stuxnet and Flame campaign, the experts at Kaspersky Lab explained that on seven exploits used by the Equation group in their malicious codes, at least four of them were used as zero-days. A malware dubbed Fanny used in 2008 exploited two zero-days which were later introduced into Stuxnet variant detected in June 2009 and March 2010.

“At least four of these were used as zero-days by the EQUATION group. In addition to these, we observed the use of unknown exploits, possibly zero-day, against Firefox 17, as used in the TOR Browser. An interesting case is the use of CVE-2013-3918, which was originally used by the APTgroup behind the 2009 Aurora attack. The EQUATION group captured their exploit and repurposed it to target government users in Afghanistan.”

According to Kaspersky team, the Equation Group has infected thousands, “even tens of thousands,” of victims worldwide, Kaspersky has collected evidence of the attacks in more than 30 countries, among the victims belong to the following categories:

  • Governments and diplomatic institutions
  • Telecommunication
  • Aerospace
  • Energy
  • Nuclear research
  • Oil and gas
  • Military
  • Nanotechnology
  • Islamic activists and scholars
  • Mass media
  • Transportation
  • Financial institutions
  • Companies developing cryptographic technologies

Equation Group Targets

The Equation Group relies also on physical attacks on its victims, according to the reports the hackers in order to infect victims have sent them a malware-infected CD in the mail and intercepted a Cisco Systems router in the mail to implant Trojans in the firmware. The attack technique is known as “interdiction” and consists in the interception shipped goods and replacement with Trojanized versions.

“The attacks that use physical media (CD-ROMs) are particularly interesting because they indicate the use of a technique known as “interdiction”, where the attackers intercept shipped goods and replace them with Trojanized versions.” continues the report.

The Equation group relies on multiple attack techniques to compromise victims’ computers, including:

  • Self-replicating (worm) code – Fanny
  • Physical media, CD-ROMs
  • USB sticks + exploits
  • Web-based exploits

The Equation Group library includes a very sophisticated keylogger called “Grok,”, a name that is not new to the experts  and that was mentioned in the documents leaked by Snowden. Also other codes mentioned in the report, “STRAITACID” and “STRAITSHOOTER”, appears quite similar to “STRAITBIZARRE,”, the advanced hacking platform used by the NSA’s Tailored Access Operations unit.

“The codename GROK appears in several documents published by Der Spiegel, where “a keylogger” is mentioned. Our analysis indicates EQUATIONGROUP’s GROK plugin is indeed a keylogger on steroids that can perform many other functions.” reads the report.

The report includes the names of some the attack tools and malware the Equation group used, including EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish.

The Fanny worm was considered one of the most interesting weapons in the hacking arsenal of the team, the malware was used by the hackers to map air-gapped networks. The worm was designed to map the topology of a targeted network and to execute commands to these isolated systems by exploiting compromised USB devices.

” For this, it used a unique USB-based command and control mechanism. When a USB stick is infected, Fanny creates a hidden storage area on the stick. If it infects a computer without an internet connection, it will collect basic system information and save it onto the hidden area of the stick. Later, when a stick containing hidden information is plugged into an internet-connected computer infected by Fanny, the data will be scooped up from the hidden area and sent to the C&C. If the attackers want to run commands on the air-gapped networks, they can save these commands in the hidden area of the USB stick. When the stick is plugged into the air-gapped computer, Fanny will recognize the commands and execute them”

Equation Group Fanny Malware

The experts at Kaspersky were able to recover two modules which allowed the group to reprogram hard drive firmware of more than a dozen of the popular hard disk drive brands, including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate. As explained by the researchers the malware was able to survive disk formatting and OS reinstallation.

“It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.  “It can resurrect itself forever,” .

I strongly suggest you to read the report , it is amazing and full of interesting information … I will go deep to discover further links with data disclosed previously.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  The Equation Group, ATP)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment