'Equation' Cyber-Espionage Group Likely Tied to NSA, Kaspersky Says

The cyber-spies compromised thousands of computers with sophisticated malware, including code that modifies the firmware of many hard disk drive makes and models.

Equation Cyber-Spies B

An espionage group has infected thousands—and possibly tens of thousands—of targets globally using sophisticated malware that has telltale links to code previously attributed to operations carried out by the National Security Agency, according to a Feb. 16 report by Kaspersky Lab.

Dubbed “Equation” by Kaspersky researchers, the group has operated for at least 15 years, targeting governments and a variety of critical industries, including oil and gas, military contractors, telecommunications and nuclear research. The surveillance effort has also focused on cryptographers and Islamic scholars, Kaspersky researchers said.

In total, the company observed more than 500 infections, but estimates that there could easily be more than 10,000 systems compromised over the last 15 years or so.

“A lot of infections have been observed on servers, often domain controllers, data warehouses, website hosting and other types of servers,” the researchers stated in their report. “At the same time, the infections have a self-destruct mechanism, so we can assume there were probably tens of thousands of infections around the world throughout the history of the Equation group’s operations.”

The malware is the latest espionage network apparently linked to a nation-state. Previous research by Symantec, Kaspersky and other security firms unveiled details of another sophisticated operation known as Regin, with links to both British and American intelligence agencies. Two years ago, Kaspersky also revealed technical details of a large espionage network that appeared to have Russian and Chinese origins.

The Equation group appears to have technical connections to Stuxnet. Both use a program, called “Fanny,” to infect USB drives and use the popular memory sticks as a way to communicate and spread infection. In addition, some keywords in the program match codenames of NSA programs leaked by former contractor Edward Snowden.

Kaspersky named the group “Equation” for its penchant for complex encryption algorithms and obfuscation. The group targeted more than 30 countries, with a focus on Iran, Russia, Pakistan, Afghanistan, India and China.

The Equation group used a number of modules to reconnoiter and infect systems. DoubleFantasy is a module or “implant” that establishes a backdoor inside the system, validating that the compromised machine is interesting to the attackers. It then installs additional software, such as EquationDrug or GrayFish.

EquationDrug gives the attackers full control over the compromised system, using 35 different plugins. Because EquationDrug is not a signed binary, it will be detected on many modern operating systems and the Equation group apparently ceased using it in 2013, according to Kaspersky Lab. In its place, another implant platform, known as GrayFish, had been installed.

GrayFish is a “highly sophisticated” set of programs, which hijacks the loading of the operating system, uses encrypted modules and self- destructs if an error occurs. The GrayFish malware platform includes a module that can rewrite the firmware of the hard drive, giving the program complete control of the computer soon after the machine is turned on, Kaspersky researchers said. Information about the NSA implant's capability to rewrite firmware, known under the codename “IrateMonk,” was leaked in the Snowden documents.

“From all indications this is very advanced malware that can infect hard drive firmware,” Lamar Bailey, director of security R&D at security firm Tripwire, said in a statement. “Infected firmware from the factory or persuading users to upgrade to an infected firmware is not uncommon but infecting firmware silently in place is much more dangerous.”

While all the malware detected by Kaspersky Lab focused on the Windows operating system, there are signs that some versions of the DoubleFantasy payload infected Mac OS X 10.8, while other software infected iPhones.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...