Equation Group Spyware Poses Threats Far Beyond Its Original Purpose

NEWS ANALYSIS: New malware strain is probably related to Stuxnet, but with more scary new features that may be nearly impossible to remove if not caught in time.

Equation Spyware 2

Think of the GrayFish malware as being something like Ebola for computers. Like Ebola, this malware only spreads through direct contact, it can infect its victim in a variety of ways and it may be impossible to cure—at least before it has done irreparable damage.

This malware, which is just coming to light through research at Kaspersky Lab, is created and fielded by a shadowy team of hackers, which Kaspersky calls the Equation Group. It got the name because of the highly sophisticated algorithms it uses.

Kaspersky says that the most recent version of the malware from this group, called GrayFish, specifically targets computers in a specific list of countries, including China and Russia. As was the case with Stuxnet, this malware is distributed only through infected USB memory sticks.

And like Stuxnet the USB vectors work by tempting users in the targeted population to insert the USB memory sticks into a port on a computer to spread the malware infection.

There's been a great deal of speculation about the origin of GrayFish, including that it is being spread by the National Security Agency. Considering the level of complexity and sophistication as well as the list of probable targets, this may be the case. However, Kaspersky is making no such claims, and, in fact, is going out of its way to say that its researchers are making no such connection.

"We are not able to confirm the conclusions that journalists came up with in regards to attribution," a spokesperson for the company told eWEEK in an email. "Kaspersky Lab experts worked on the technical analysis of the group's malware, and we don't have hard proof to attribute the Equation Group or speak of its origin," the email stated.

"With threat actor groups as skilled as the Equation team, mistakes are rare," the Kaspersky spokesman noted, "and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups."

However, the Kaspersky spokesperson did discuss the sophistication of the cyber-threat with eWEEK. "The group is unique almost in every aspect of their activities: they use tools that are very complicated and expensive to develop in order to infect victims, retrieve data and hide activity in an outstandingly professional way, and utilize classic spying techniques to deliver malicious payloads to the victims," the spokesman wrote.

So the chances that the Equation Group is state-sponsored are very high, if only because the cost and difficulty of developing such a malware tool is beyond the means of anybody without access to the resources of a nation state. In addition, the target list seems to focus on computers, especially servers, that belong to government entities. But this does not mean it's the NSA that's doing this.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...