Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

3/11/2015
01:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Equation Group Cyberspying Activity May Date Back To The '90s

New Kaspersky Lab findings show how the 'master APT' nation-state group likely the longest-running cyber espionage gang of all, and newly discovered code artifacts include English-language clues.

The unprecedented cyber espionage operation conducted by the so-called Equation Group launched attacks mainly from a complex software platform that looks a lot like a mini operating system with carefully constructed components and plug-ins, researchers say.

Kaspersky Lab--which last month disclosed its findings on the highly advanced and well-funded nation-state actor--today published new details of the so-called EquationDrug software platform used by the group over the past 10 years. The research indicates that the Equation Group could have been active as far back as the 1990s, making it the longest-running cyber espionage group of all, according to Kaspersky Lab.

Igor Soumenkov, principal security researcher at Kaspersky Lab, says information on the timing of when the Equation Group registered command-and-control servers predate EquationDrug, and thus point to activity in the '90s. "There were also previous platforms like EquationLaser, which we didn't write much about. EquationLaser was before EquationDrug," its replacement, he says.

Researchers at Kaspersky Lab said last month that the Equation Group, which has ties to Stuxnet but predates it, were likely the "masters" over the Stuxnet attacks and provided exploits to the attackers who unleashed malware to sabotage centrifuges used for uranium enrichment at Iran's Natanz facility. While signs appear to point to the National Security Agency, Kaspersky Lab has stopped short of naming the nation-state behind the operation, but has noted a possible US connection with newly found English-language use in the code, as well as apparent East Coast business hours.

The so-called GrayFish platform, which includes plug-ins like the especially sophisticated one that reprograms hard drives, ultimately replaced EquationDrug, although EquationDrug is not yet obsolete. But Kaspersky Lab researchers still have been unable to detect any new activity from the Equation Group since 2014, likely because they've adopted an even stealthier tack, a "super-scary" prospect, according to Costin Raiu, head of Kaspersky's global research and analysis team. Raiu last month told Dark Reading that the attackers had registered new servers in 2014 and were still active, but no signs of new malware had been detected.

And no word on what the group is using in lieu of GrayFish: "We don't have any details on what software this group is using right now," Soumenkov says. "They must have implemented some better techniques to evade detection and discovery."

The Equation Group has always reused some code; Grayfish, for example, was basically an upgrade to EquationDrug, with encryption and a bootkit, as well as "well-hidden" plug-ins, he says.

Speaking of plug-ins, Kaspersky Lab today said it has found some 30 plug-ins for EquationDrug thus far, but there could be some 90 additional ones as well. All of the plugins are compatible, too, according to Soumenkov.

The plug-ins include network traffic interception, reverse DNS resolution, computer management (including start/stop processes, load drivers and libraries), file and directory management, targeted computer system information-gathering (including OS version, user name, keyboard layout, process list, and other information), network resource browsing, WMI information-gathering, cached password collection, processes enumeration, monitoring live user activity in browsers, NTFS file system access, removable storage drive monitoring, passive network backdoor, HDD and SDD firmware manipulation, keylogging, collection of browser history, as well as cached passwords and auto-fill data.

[The nation-state Equation Group compromise of most popular hard drives won't be a widespread threat, but future disk security -- and forensic integrity -- remain unclear. Read What You Need To Know About Nation-State Hacked Hard Drives.]

"The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins," Kaspersky Lab researchers wrote in a post today. "Every plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved."

Kaspersky's study of EquationDrug illustrates how nation-states like the Equation Group constantly up the ante in their code, the researchers say in their new report.

Meanwhile, the researchers found references such as "Stealthfighter" and other English-speaking language in the code. "Some other names, such as kernel object and file names, abbreviations, resource code page, and several generic messages, point to English-speaking developers. Due to the limited number of such text strings, it's hard to tell reliably if the developers were native English speakers," according to the report.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:14:12 AM
Fascinating stuff..
Great reporting & analysis Kelly. Keep up the good work on this fascinating and important topic. Can't wait for more.... 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/12/2015 | 11:22:59 AM
Re: Fascinating stuff..
Kaspersky Lab has done some fascinating research on this, @Marilyn. I know there's more to come from them, so we'll continue to learn more about this operation in the coming months. Thanks. 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.