Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

07:00 PM
Connect Directly

Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet

The so-called Equation Group epitomizes the goal of persistence in cyber spying--reprogramming hard drives and hacking other targets such as air-gapped computers--and points to possible US connection.

KASPERSKY SECURITY ANALYST SUMMIT -- Cancun, Mexico -- Move over Stuxnet, Flame, and Regin: a newly uncovered cyber espionage operation that predates and rivals Stuxnet has been underway since at least 2001, armed with advanced tools and techniques that include hacking air-gapped computers and a first -- silently reprogramming victims' hard drives, such that malware can't be detected or erased.

Researchers from Kaspersky Lab here, today, gave details of the so-called Equation Group, a hacking operation that they describe as the most sophisticated attack group they have seen thus far of the approximately 60 such groups they currently track. The Equation Group also has ties to Stuxnet and Flame, but outranks those attacks, having deployed in 2008 two of the zero-day exploits that were later used by Stuxnet. That suggests the Equation Group provided those exploits to the Stuxnet gang and is the "masters" over them, according to Kaspersky Lab.

The Equation Group has hit tens of thousands of highly targeted victims in more than 30 countries, with Iran, Russia, and Pakistan the most infected. Other nations with victims include Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, Sudan, the US, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, Philippines, United Kingdom, India, and Brazil. The targets are in government and diplomacy, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, mass media, transportation, financial institutions, cryptographic development, as well as Islamic activists and scholars based in the US and UK.

Kaspersky estimates that the attack group was infecting some 2,000 individuals per month. But what's most unnerving is that Equation Group has basically gone dark since 2014, indicating that they've taken an even stealthier tack. All of their command-and-control servers were moved to the US in 2014, according to Raiu, who says his team has found about 300 of their servers worldwide. "For sure they have registered some new servers in 2014, so they are still active. But we haven't seen any new [malware] samples compiled … they are either now untraceable or randomly changing all of the timestamps," says Costin Raiu, head of Kaspersky's global research and analysis team. The malware targets Windows systems.

"But in operations, there was nothing new in 2014. It's super-scary," he says.

Despite the elephant-in-the-room question of whether the Equation Group is the US National Security Agency, Kaspersky researchers say they can't identify who's behind the campaign. Even so, a couple of months after Edward Snowden leaked the trove of NSA documents, the Equation Group replaced one of its malware variants with a more sophisticated one, called Grayfish. "They shut down some old stuff and the new Grayfish" came, Raiu says.  "I don't know if that's related or not."

The level of funding and sophistication required to craft the bevy of tools used by the Equation Group, plus English-language usage in the code, and other clues, such as the targeted (and non-targeted) regions, appear to point to a possible US connection. "We have not found any exact match of these code names .. with [the information leaked by] Snowden, so we cannot tell you it matches an NSA profile," says Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab.

An NSA spokesperson declined to comment on the findings, according to multiple published media reports.

"This malware is extremely sophisticated. It's way more complex than anything we've seen. It's most likely a nation-state because there doesn't seem to be any connection with cybercrime," he says.

Hard Drive Hacks

Among the hacking group's more unique and complex capabilities that Kaspersky has identified are two modules that can reprogram more than a dozen different hard drive brands, including big names like Maxtor, Seagate, Hitachi, and Toshiba, basically rewriting the hard drive's operating system. This trick puts the "p" in APT (advanced persistent threat), by allowing the malware to go undetected by antivirus and to remain alive even if the drive is reformatted or the operating system gets reinstalled. The technique -- powered by the Grayfish malware module -- also could resist deletion of a specific disk sector, or provide the attackers with the ability to swap a sector with a malware-ridden one.

The attackers also could use the infected drive to store stolen information until they siphon it to their own systems.

"This is what makes this group gods among APT actors. We have never seen anything close to this," Kamluk says. Knowing how to reprogram a hard drive would entail gathering intelligence from each vendor, which is no simple feat, he says. "Then it would take a very skilled programmer many months or years to master this."

"[This] shows us a level of sophistication that we haven't seen before, or maybe a few times in the past with Flame and Stuxnet," for example, says Jaime Blasco, head of AlienVault's security research team. "Whoever is behind this has access to a huge amount of financial and research resources, including access to sigint/humint capabilities that they clearly use in combination with the" tools, he days.

Blasco says the module that infects the hard drive firmware is "state of the art."

Then there's the module the Equation Group named "Fanny" that allows them into air-gapped computers, or systems that are not connected to a network. Kaspersky researchers first noticed this module after uncovering a case where a scientist attending a scientific and aerospace industry conference in Houston had been mailed a CD-ROM from the conference proceedings -- but it had obviously been intercepted and rigged with Fanny malware, ultimately infecting his hard drive.

Fanny also comes via USB sticks, where someone physically inserts them into the air-gapped machine to infect them. Kaspersky found a privilege escalation exploit that was used in Stuxnet being used by the Fanny worm.

The worm basically is aimed at gathering intelligence about the network topology of the air-gapped environment and to then send commands to those systems. The USB stick itself stores commands from the malware in a hidden area of the device.

Raiu says the Equation Group is likely the only such attack group at this high level. And Kaspersky Lab's findings about them likely only scratches the surface of what they can do. "We haven't seen Mac or iPhone malware [from them], but we know it exists," for example, he says. "We're sure there's some Linux malware, too … and probably a lot of other stuff we have not found yet."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Strategist
2/17/2015 | 5:09:13 PM
Equation Group's Apparent Allegiance
Given that this Equation group is astonishingly effective, aren't you a bit relieved that they are most likely run by an agency in the U.S. goverment and not run by China or Russia?! To borrow from something LBJ once said about J. Edgar Hoover (and to clean it up a bit), it is better that they are in the tent shooting out, rather than outside shooting in.
kill -9
kill -9,
User Rank: Apprentice
2/18/2015 | 10:59:36 PM
Newly Discovered Master Cyber Espionage Group . . .
If one has been following the APT drama over the past several years and if one has read what Kaspersky has made available on the interwebs, it's all but impossible to ignore the trail of breadcrumbs that lead to 39°6′32″N 76°46′17″W. Even eWeek sussed it out . . .
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
2/19/2015 | 4:24:32 PM
Re: Newly Discovered Master Cyber Espionage Group . . .
It's definitely not tough to guess who's behind it, but Kaspersky's not gonna say it out loud publicly.
<<   <   Page 2 / 2
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki &quot;Report&quot; extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a &quot;zip-slip&quot; vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions &lt; 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting