Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

2/16/2015
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet

The so-called Equation Group epitomizes the goal of persistence in cyber spying--reprogramming hard drives and hacking other targets such as air-gapped computers--and points to possible US connection.

KASPERSKY SECURITY ANALYST SUMMIT -- Cancun, Mexico -- Move over Stuxnet, Flame, and Regin: a newly uncovered cyber espionage operation that predates and rivals Stuxnet has been underway since at least 2001, armed with advanced tools and techniques that include hacking air-gapped computers and a first -- silently reprogramming victims' hard drives, such that malware can't be detected or erased.

Researchers from Kaspersky Lab here, today, gave details of the so-called Equation Group, a hacking operation that they describe as the most sophisticated attack group they have seen thus far of the approximately 60 such groups they currently track. The Equation Group also has ties to Stuxnet and Flame, but outranks those attacks, having deployed in 2008 two of the zero-day exploits that were later used by Stuxnet. That suggests the Equation Group provided those exploits to the Stuxnet gang and is the "masters" over them, according to Kaspersky Lab.

The Equation Group has hit tens of thousands of highly targeted victims in more than 30 countries, with Iran, Russia, and Pakistan the most infected. Other nations with victims include Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, Sudan, the US, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, Philippines, United Kingdom, India, and Brazil. The targets are in government and diplomacy, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, mass media, transportation, financial institutions, cryptographic development, as well as Islamic activists and scholars based in the US and UK.

Kaspersky estimates that the attack group was infecting some 2,000 individuals per month. But what's most unnerving is that Equation Group has basically gone dark since 2014, indicating that they've taken an even stealthier tack. All of their command-and-control servers were moved to the US in 2014, according to Raiu, who says his team has found about 300 of their servers worldwide. "For sure they have registered some new servers in 2014, so they are still active. But we haven't seen any new [malware] samples compiled … they are either now untraceable or randomly changing all of the timestamps," says Costin Raiu, head of Kaspersky's global research and analysis team. The malware targets Windows systems.

"But in operations, there was nothing new in 2014. It's super-scary," he says.

Despite the elephant-in-the-room question of whether the Equation Group is the US National Security Agency, Kaspersky researchers say they can't identify who's behind the campaign. Even so, a couple of months after Edward Snowden leaked the trove of NSA documents, the Equation Group replaced one of its malware variants with a more sophisticated one, called Grayfish. "They shut down some old stuff and the new Grayfish" came, Raiu says.  "I don't know if that's related or not."

The level of funding and sophistication required to craft the bevy of tools used by the Equation Group, plus English-language usage in the code, and other clues, such as the targeted (and non-targeted) regions, appear to point to a possible US connection. "We have not found any exact match of these code names .. with [the information leaked by] Snowden, so we cannot tell you it matches an NSA profile," says Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab.

An NSA spokesperson declined to comment on the findings, according to multiple published media reports.

"This malware is extremely sophisticated. It's way more complex than anything we've seen. It's most likely a nation-state because there doesn't seem to be any connection with cybercrime," he says.

Hard Drive Hacks

Among the hacking group's more unique and complex capabilities that Kaspersky has identified are two modules that can reprogram more than a dozen different hard drive brands, including big names like Maxtor, Seagate, Hitachi, and Toshiba, basically rewriting the hard drive's operating system. This trick puts the "p" in APT (advanced persistent threat), by allowing the malware to go undetected by antivirus and to remain alive even if the drive is reformatted or the operating system gets reinstalled. The technique -- powered by the Grayfish malware module -- also could resist deletion of a specific disk sector, or provide the attackers with the ability to swap a sector with a malware-ridden one.

The attackers also could use the infected drive to store stolen information until they siphon it to their own systems.

"This is what makes this group gods among APT actors. We have never seen anything close to this," Kamluk says. Knowing how to reprogram a hard drive would entail gathering intelligence from each vendor, which is no simple feat, he says. "Then it would take a very skilled programmer many months or years to master this."

"[This] shows us a level of sophistication that we haven't seen before, or maybe a few times in the past with Flame and Stuxnet," for example, says Jaime Blasco, head of AlienVault's security research team. "Whoever is behind this has access to a huge amount of financial and research resources, including access to sigint/humint capabilities that they clearly use in combination with the" tools, he days.

Blasco says the module that infects the hard drive firmware is "state of the art."

Then there's the module the Equation Group named "Fanny" that allows them into air-gapped computers, or systems that are not connected to a network. Kaspersky researchers first noticed this module after uncovering a case where a scientist attending a scientific and aerospace industry conference in Houston had been mailed a CD-ROM from the conference proceedings -- but it had obviously been intercepted and rigged with Fanny malware, ultimately infecting his hard drive.

Fanny also comes via USB sticks, where someone physically inserts them into the air-gapped machine to infect them. Kaspersky found a privilege escalation exploit that was used in Stuxnet being used by the Fanny worm.

The worm basically is aimed at gathering intelligence about the network topology of the air-gapped environment and to then send commands to those systems. The USB stick itself stores commands from the malware in a hidden area of the device.

Raiu says the Equation Group is likely the only such attack group at this high level. And Kaspersky Lab's findings about them likely only scratches the surface of what they can do. "We haven't seen Mac or iPhone malware [from them], but we know it exists," for example, he says. "We're sure there's some Linux malware, too … and probably a lot of other stuff we have not found yet."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
2/17/2015 | 9:47:32 AM
Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
"This malware is extremely sophisticated. Its way more complex than anything we've seen. It's most likely a nation-state because there doesn't seem to be any connection with cybercrime,"

It appears that Big Brother has been watching for a very long time. I'm actually not surprised by the revelation of the existence of this group. For a long time, I had suspected that such an operation theoretically exists, and that the justification of their existence is simply national security. Nor am I surprised by the sophistication of their technology, right down to the hard drive OS itself. In fact, we will probably discover that the technology possibly includes infiltration of the computer BIOS. Call me paranoid, but as I look at it, nation-states have the resources and motivation to carry out these operations, and most certainly have been researching this for decades. I do like the name "Equation Group" though – very clever.
BurgessCT
50%
50%
BurgessCT,
User Rank: Apprentice
2/17/2015 | 10:26:13 AM
Going to the ROOT has been a Nation State goal for some time
Great read, and the Kaspersky revelations are interesting.  

The use of USB/CD-ROMs to jump the airgap have been around for some time and used with frequency by the penetration test industry (who hasn't heard of a tale or two of USB sticks dropped in corporate parking lots, or the embarassment IBM suffered when their USB stick which they were handing out at the Aus-CERT conference in 2010 carried with it pre-positioned malware). Indeed going after the hard drive has also been a goal of many. China used this technique in 2007 against Taiwan. I wrote in my April 2008 piece: "Nation States Espionage and Counterespionage" 

"In mid-November 2007, Taiwan's investigation bureau reported that hard-disk drives manufactured by Seagate in Thailand and sold in Taiwan had been contaminated with Trojan horse malware while the drives were in the hands of "Chinese sub-contractors" during the manufacturing process. The malware automatically uploaded information saved on the hard drive and, if the computer was connected to the Internet, forwarded the saved information to a Beijing Internet address without the user's knowledge"

It would appear the Equation Group has successfully improved on these methodologies.  Here's hoping the Equation Group are the good guys.

Thanks,

Christopher

CEO Prevendra

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/17/2015 | 10:26:25 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
The nation-states seem to be commanding a lot of the hacker headllnes recently, haven't they? @GonzSTL, I hope you've been following our 'Why They Hack' series. The fifth and final article -- on the USA -- is very timely and a good companion to the news about Espionage Group. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/17/2015 | 10:29:36 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
@Marilyn: Yes they have, and it really isn't a surprise! I have been following that series. They are quite interesting and thought provoking, and I've even commented a few times, for whatever that's worth.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/17/2015 | 10:32:25 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
Your comments are always worth reading, @Gonz. Glad you are enjoying the series. It does add a lot of contest to the headlines... 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/17/2015 | 11:05:49 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
@Marilyn: I'm sure you are aware of this, but for the benefit of the readers, (ISC)² has a link to that series, and other Dark Reading articles in their "Latest Industry News" section.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/17/2015 | 11:09:01 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
I don't think I picked up on that. So many thanks for sharing!
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
2/17/2015 | 11:12:32 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
Sure thing. It's quite remarkable to be linked from (ISC)², an industry and world renowned institution for IT Security.
SgS125
100%
0%
SgS125,
User Rank: Ninja
2/17/2015 | 11:14:00 AM
Not that hard after all.
"This is what makes this group gods among APT actors. We have never seen anything close to this," Kamluk says. Knowing how to reprogram a hard drive would entail gathering intelligence from each vendor, which is no simple feat, he says. "Then it would take a very skilled programmer many months or years to master this."

 

Please..... Anyone who has programmed back in the 80's knows this is not true.

We used to have to write routines direct for hardware.

It's not that hard.
anon2023887558
100%
0%
anon2023887558,
User Rank: Apprentice
2/17/2015 | 11:53:15 AM
Re: Not that hard after all.
Yup, I remember debugging the old WD controller cards manually and it wouldn't take years to master anything about it, especially if you had the source code and didn't have to decompile anything.

Noobs,  Sheesh!
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7779
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
CVE-2020-7778
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.