Think of the GrayFish malware as being something like Ebola for computers. Like Ebola, this malware only spreads through direct contact, it can infect its victim in a variety of ways and it may be impossible to cure—at least before it has done irreparable damage.
This malware, which is just coming to light through research at Kaspersky Lab, is created and fielded by a shadowy team of hackers, which Kaspersky calls the Equation Group. It got the name because of the highly sophisticated algorithms it uses.
Kaspersky says that the most recent version of the malware from this group, called GrayFish, specifically targets computers in a specific list of countries, including China and Russia. As was the case with Stuxnet, this malware is distributed only through infected USB memory sticks.
And like Stuxnet the USB vectors work by tempting users in the targeted population to insert the USB memory sticks into a port on a computer to spread the malware infection.
There’s been a great deal of speculation about the origin of GrayFish, including that it is being spread by the National Security Agency. Considering the level of complexity and sophistication as well as the list of probable targets, this may be the case. However, Kaspersky is making no such claims, and, in fact, is going out of its way to say that its researchers are making no such connection.
“We are not able to confirm the conclusions that journalists came up with in regards to attribution,” a spokesperson for the company told eWEEK in an email. “Kaspersky Lab experts worked on the technical analysis of the group’s malware, and we don’t have hard proof to attribute the Equation Group or speak of its origin,” the email stated.
“With threat actor groups as skilled as the Equation team, mistakes are rare,” the Kaspersky spokesman noted, “and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups.”
However, the Kaspersky spokesperson did discuss the sophistication of the cyber-threat with eWEEK. “The group is unique almost in every aspect of their activities: they use tools that are very complicated and expensive to develop in order to infect victims, retrieve data and hide activity in an outstandingly professional way, and utilize classic spying techniques to deliver malicious payloads to the victims,” the spokesman wrote.
So the chances that the Equation Group is state-sponsored are very high, if only because the cost and difficulty of developing such a malware tool is beyond the means of anybody without access to the resources of a nation state. In addition, the target list seems to focus on computers, especially servers, that belong to government entities. But this does not mean it’s the NSA that’s doing this.
Equation Group Spyware Poses Threats Far Beyond Its Original Purpose
With all of that in mind, you’re probably wondering how much of a threat the Equation Group and its GrayFish malware are to your company. The answer is, not as much as you might think. Chances are very good that you’re not in its target list.
In addition, GrayFish is not necessarily impossible to eliminate. While it’s true that this malware can include a module that rewrites the flash memory on your computer’s hard drives, until that happens GrayFish is just as visible as any other malware. In addition, a properly designed anti-malware package can intercept it and prevent execution, as long as that happens before the flash in the drive has been rewritten.
Unfortunately, once the malware has installed itself into the flash memory on a hard drive it may be impossible to detect or remove, although it’s not clear what would happen if you decide to reflash the drive. However most recommendations I’ve seen say that the only possible solution is to destroy the drive.
All of this means that in a worst case scenario, you’re left with the decision of deciding whether to destroy your storage if you think there’s a chance that it harbors a GrayFish module, but since you can’t actually tell if it’s there, you just have to guess.
Fortunately, there are other actions you can take.
The most obvious action is to train your employees never to plug a device of unknown origin into a computer. While you’re at it, you can disable the USB ports that aren’t being used for something. And you can make sure that you have a good, updated anti-malware product running on all of your critical systems all of the time. This should give you a fighting chance.
But it may be that the most serious problem from the Equation Group and GrayFish is yet to come. Now that the existence of this type of malware has become known, it also becomes more likely that criminal malware writers will use the techniques the Equation Group developed to produce more advanced malware.
While those criminal groups can’t normally afford to develop such things as flash-based viruses, once they know it’s possible, they have something to aim for. In addition it’s possible that if they get copies of this malware in the wild it might be possible to repurpose the code, especially once other nation state hacking teams with all their resources get hold of it.
Considering how competitive cyber criminals have become recently, there’s certainly plenty of motivation to use something that could become undetectable and impossible to remove.
Ultimately, even though GrayFish and the Equation Group probably aren’t after your money or information, the presence of their malware has made the Internet and the computing world a much more dangerous.