Vulnerabilities / Threats // Advanced Threats
2/16/2015
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet

The so-called Equation Group epitomizes the goal of persistence in cyber spying--reprogramming hard drives and hacking other targets such as air-gapped computers--and points to possible US connection.

KASPERSKY SECURITY ANALYST SUMMIT -- Cancun, Mexico -- Move over Stuxnet, Flame, and Regin: a newly uncovered cyber espionage operation that predates and rivals Stuxnet has been underway since at least 2001, armed with advanced tools and techniques that include hacking air-gapped computers and a first -- silently reprogramming victims' hard drives, such that malware can't be detected or erased.

Researchers from Kaspersky Lab here, today, gave details of the so-called Equation Group, a hacking operation that they describe as the most sophisticated attack group they have seen thus far of the approximately 60 such groups they currently track. The Equation Group also has ties to Stuxnet and Flame, but outranks those attacks, having deployed in 2008 two of the zero-day exploits that were later used by Stuxnet. That suggests the Equation Group provided those exploits to the Stuxnet gang and is the "masters" over them, according to Kaspersky Lab.

The Equation Group has hit tens of thousands of highly targeted victims in more than 30 countries, with Iran, Russia, and Pakistan the most infected. Other nations with victims include Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, Sudan, the US, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, Philippines, United Kingdom, India, and Brazil. The targets are in government and diplomacy, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, mass media, transportation, financial institutions, cryptographic development, as well as Islamic activists and scholars based in the US and UK.

Kaspersky estimates that the attack group was infecting some 2,000 individuals per month. But what's most unnerving is that Equation Group has basically gone dark since 2014, indicating that they've taken an even stealthier tack. All of their command-and-control servers were moved to the US in 2014, according to Raiu, who says his team has found about 300 of their servers worldwide. "For sure they have registered some new servers in 2014, so they are still active. But we haven't seen any new [malware] samples compiled … they are either now untraceable or randomly changing all of the timestamps," says Costin Raiu, head of Kaspersky's global research and analysis team. The malware targets Windows systems.

"But in operations, there was nothing new in 2014. It's super-scary," he says.

Despite the elephant-in-the-room question of whether the Equation Group is the US National Security Agency, Kaspersky researchers say they can't identify who's behind the campaign. Even so, a couple of months after Edward Snowden leaked the trove of NSA documents, the Equation Group replaced one of its malware variants with a more sophisticated one, called Grayfish. "They shut down some old stuff and the new Grayfish" came, Raiu says.  "I don't know if that's related or not."

The level of funding and sophistication required to craft the bevy of tools used by the Equation Group, plus English-language usage in the code, and other clues, such as the targeted (and non-targeted) regions, appear to point to a possible US connection. "We have not found any exact match of these code names .. with [the information leaked by] Snowden, so we cannot tell you it matches an NSA profile," says Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab.

An NSA spokesperson declined to comment on the findings, according to multiple published media reports.

"This malware is extremely sophisticated. It's way more complex than anything we've seen. It's most likely a nation-state because there doesn't seem to be any connection with cybercrime," he says.

Hard Drive Hacks

Among the hacking group's more unique and complex capabilities that Kaspersky has identified are two modules that can reprogram more than a dozen different hard drive brands, including big names like Maxtor, Seagate, Hitachi, and Toshiba, basically rewriting the hard drive's operating system. This trick puts the "p" in APT (advanced persistent threat), by allowing the malware to go undetected by antivirus and to remain alive even if the drive is reformatted or the operating system gets reinstalled. The technique -- powered by the Grayfish malware module -- also could resist deletion of a specific disk sector, or provide the attackers with the ability to swap a sector with a malware-ridden one.

The attackers also could use the infected drive to store stolen information until they siphon it to their own systems.

"This is what makes this group gods among APT actors. We have never seen anything close to this," Kamluk says. Knowing how to reprogram a hard drive would entail gathering intelligence from each vendor, which is no simple feat, he says. "Then it would take a very skilled programmer many months or years to master this."

"[This] shows us a level of sophistication that we haven't seen before, or maybe a few times in the past with Flame and Stuxnet," for example, says Jaime Blasco, head of AlienVault's security research team. "Whoever is behind this has access to a huge amount of financial and research resources, including access to sigint/humint capabilities that they clearly use in combination with the" tools, he days.

Blasco says the module that infects the hard drive firmware is "state of the art."

Then there's the module the Equation Group named "Fanny" that allows them into air-gapped computers, or systems that are not connected to a network. Kaspersky researchers first noticed this module after uncovering a case where a scientist attending a scientific and aerospace industry conference in Houston had been mailed a CD-ROM from the conference proceedings -- but it had obviously been intercepted and rigged with Fanny malware, ultimately infecting his hard drive.

Fanny also comes via USB sticks, where someone physically inserts them into the air-gapped machine to infect them. Kaspersky found a privilege escalation exploit that was used in Stuxnet being used by the Fanny worm.

The worm basically is aimed at gathering intelligence about the network topology of the air-gapped environment and to then send commands to those systems. The USB stick itself stores commands from the malware in a hidden area of the device.

Raiu says the Equation Group is likely the only such attack group at this high level. And Kaspersky Lab's findings about them likely only scratches the surface of what they can do. "We haven't seen Mac or iPhone malware [from them], but we know it exists," for example, he says. "We're sure there's some Linux malware, too … and probably a lot of other stuff we have not found yet."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/19/2015 | 4:24:32 PM
Re: Newly Discovered Master Cyber Espionage Group . . .
It's definitely not tough to guess who's behind it, but Kaspersky's not gonna say it out loud publicly.
kill -9
100%
0%
kill -9,
User Rank: Apprentice
2/18/2015 | 10:59:36 PM
Newly Discovered Master Cyber Espionage Group . . .
If one has been following the APT drama over the past several years and if one has read what Kaspersky has made available on the interwebs, it's all but impossible to ignore the trail of breadcrumbs that lead to 39°6′32″N 76°46′17″W. Even eWeek sussed it out . . .
BertrandW414
50%
50%
BertrandW414,
User Rank: Strategist
2/17/2015 | 5:09:13 PM
Equation Group's Apparent Allegiance
Given that this Equation group is astonishingly effective, aren't you a bit relieved that they are most likely run by an agency in the U.S. goverment and not run by China or Russia?! To borrow from something LBJ once said about J. Edgar Hoover (and to clean it up a bit), it is better that they are in the tent shooting out, rather than outside shooting in.
anon2023887558
100%
0%
anon2023887558,
User Rank: Apprentice
2/17/2015 | 11:53:15 AM
Re: Not that hard after all.
Yup, I remember debugging the old WD controller cards manually and it wouldn't take years to master anything about it, especially if you had the source code and didn't have to decompile anything.

Noobs,  Sheesh!
SgS125
100%
0%
SgS125,
User Rank: Ninja
2/17/2015 | 11:14:00 AM
Not that hard after all.
"This is what makes this group gods among APT actors. We have never seen anything close to this," Kamluk says. Knowing how to reprogram a hard drive would entail gathering intelligence from each vendor, which is no simple feat, he says. "Then it would take a very skilled programmer many months or years to master this."

 

Please..... Anyone who has programmed back in the 80's knows this is not true.

We used to have to write routines direct for hardware.

It's not that hard.
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
2/17/2015 | 11:12:32 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
Sure thing. It's quite remarkable to be linked from (ISC)², an industry and world renowned institution for IT Security.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/17/2015 | 11:09:01 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
I don't think I picked up on that. So many thanks for sharing!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/17/2015 | 11:05:49 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
@Marilyn: I'm sure you are aware of this, but for the benefit of the readers, (ISC)² has a link to that series, and other Dark Reading articles in their "Latest Industry News" section.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/17/2015 | 10:32:25 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
Your comments are always worth reading, @Gonz. Glad you are enjoying the series. It does add a lot of contest to the headlines... 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/17/2015 | 10:29:36 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
@Marilyn: Yes they have, and it really isn't a surprise! I have been following that series. They are quite interesting and thought provoking, and I've even commented a few times, for whatever that's worth.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.