Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

2/16/2015
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet

The so-called Equation Group epitomizes the goal of persistence in cyber spying--reprogramming hard drives and hacking other targets such as air-gapped computers--and points to possible US connection.

KASPERSKY SECURITY ANALYST SUMMIT -- Cancun, Mexico -- Move over Stuxnet, Flame, and Regin: a newly uncovered cyber espionage operation that predates and rivals Stuxnet has been underway since at least 2001, armed with advanced tools and techniques that include hacking air-gapped computers and a first -- silently reprogramming victims' hard drives, such that malware can't be detected or erased.

Researchers from Kaspersky Lab here, today, gave details of the so-called Equation Group, a hacking operation that they describe as the most sophisticated attack group they have seen thus far of the approximately 60 such groups they currently track. The Equation Group also has ties to Stuxnet and Flame, but outranks those attacks, having deployed in 2008 two of the zero-day exploits that were later used by Stuxnet. That suggests the Equation Group provided those exploits to the Stuxnet gang and is the "masters" over them, according to Kaspersky Lab.

The Equation Group has hit tens of thousands of highly targeted victims in more than 30 countries, with Iran, Russia, and Pakistan the most infected. Other nations with victims include Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, Sudan, the US, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, Philippines, United Kingdom, India, and Brazil. The targets are in government and diplomacy, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, mass media, transportation, financial institutions, cryptographic development, as well as Islamic activists and scholars based in the US and UK.

Kaspersky estimates that the attack group was infecting some 2,000 individuals per month. But what's most unnerving is that Equation Group has basically gone dark since 2014, indicating that they've taken an even stealthier tack. All of their command-and-control servers were moved to the US in 2014, according to Raiu, who says his team has found about 300 of their servers worldwide. "For sure they have registered some new servers in 2014, so they are still active. But we haven't seen any new [malware] samples compiled … they are either now untraceable or randomly changing all of the timestamps," says Costin Raiu, head of Kaspersky's global research and analysis team. The malware targets Windows systems.

"But in operations, there was nothing new in 2014. It's super-scary," he says.

Despite the elephant-in-the-room question of whether the Equation Group is the US National Security Agency, Kaspersky researchers say they can't identify who's behind the campaign. Even so, a couple of months after Edward Snowden leaked the trove of NSA documents, the Equation Group replaced one of its malware variants with a more sophisticated one, called Grayfish. "They shut down some old stuff and the new Grayfish" came, Raiu says.  "I don't know if that's related or not."

The level of funding and sophistication required to craft the bevy of tools used by the Equation Group, plus English-language usage in the code, and other clues, such as the targeted (and non-targeted) regions, appear to point to a possible US connection. "We have not found any exact match of these code names .. with [the information leaked by] Snowden, so we cannot tell you it matches an NSA profile," says Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab.

An NSA spokesperson declined to comment on the findings, according to multiple published media reports.

"This malware is extremely sophisticated. It's way more complex than anything we've seen. It's most likely a nation-state because there doesn't seem to be any connection with cybercrime," he says.

Hard Drive Hacks

Among the hacking group's more unique and complex capabilities that Kaspersky has identified are two modules that can reprogram more than a dozen different hard drive brands, including big names like Maxtor, Seagate, Hitachi, and Toshiba, basically rewriting the hard drive's operating system. This trick puts the "p" in APT (advanced persistent threat), by allowing the malware to go undetected by antivirus and to remain alive even if the drive is reformatted or the operating system gets reinstalled. The technique -- powered by the Grayfish malware module -- also could resist deletion of a specific disk sector, or provide the attackers with the ability to swap a sector with a malware-ridden one.

The attackers also could use the infected drive to store stolen information until they siphon it to their own systems.

"This is what makes this group gods among APT actors. We have never seen anything close to this," Kamluk says. Knowing how to reprogram a hard drive would entail gathering intelligence from each vendor, which is no simple feat, he says. "Then it would take a very skilled programmer many months or years to master this."

"[This] shows us a level of sophistication that we haven't seen before, or maybe a few times in the past with Flame and Stuxnet," for example, says Jaime Blasco, head of AlienVault's security research team. "Whoever is behind this has access to a huge amount of financial and research resources, including access to sigint/humint capabilities that they clearly use in combination with the" tools, he days.

Blasco says the module that infects the hard drive firmware is "state of the art."

Then there's the module the Equation Group named "Fanny" that allows them into air-gapped computers, or systems that are not connected to a network. Kaspersky researchers first noticed this module after uncovering a case where a scientist attending a scientific and aerospace industry conference in Houston had been mailed a CD-ROM from the conference proceedings -- but it had obviously been intercepted and rigged with Fanny malware, ultimately infecting his hard drive.

Fanny also comes via USB sticks, where someone physically inserts them into the air-gapped machine to infect them. Kaspersky found a privilege escalation exploit that was used in Stuxnet being used by the Fanny worm.

The worm basically is aimed at gathering intelligence about the network topology of the air-gapped environment and to then send commands to those systems. The USB stick itself stores commands from the malware in a hidden area of the device.

Raiu says the Equation Group is likely the only such attack group at this high level. And Kaspersky Lab's findings about them likely only scratches the surface of what they can do. "We haven't seen Mac or iPhone malware [from them], but we know it exists," for example, he says. "We're sure there's some Linux malware, too … and probably a lot of other stuff we have not found yet."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/17/2015 | 10:26:25 AM
Re: Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
The nation-states seem to be commanding a lot of the hacker headllnes recently, haven't they? @GonzSTL, I hope you've been following our 'Why They Hack' series. The fifth and final article -- on the USA -- is very timely and a good companion to the news about Espionage Group. 
BurgessCT
50%
50%
BurgessCT,
User Rank: Apprentice
2/17/2015 | 10:26:13 AM
Going to the ROOT has been a Nation State goal for some time
Great read, and the Kaspersky revelations are interesting.  

The use of USB/CD-ROMs to jump the airgap have been around for some time and used with frequency by the penetration test industry (who hasn't heard of a tale or two of USB sticks dropped in corporate parking lots, or the embarassment IBM suffered when their USB stick which they were handing out at the Aus-CERT conference in 2010 carried with it pre-positioned malware). Indeed going after the hard drive has also been a goal of many. China used this technique in 2007 against Taiwan. I wrote in my April 2008 piece: "Nation States Espionage and Counterespionage" 

"In mid-November 2007, Taiwan's investigation bureau reported that hard-disk drives manufactured by Seagate in Thailand and sold in Taiwan had been contaminated with Trojan horse malware while the drives were in the hands of "Chinese sub-contractors" during the manufacturing process. The malware automatically uploaded information saved on the hard drive and, if the computer was connected to the Internet, forwarded the saved information to a Beijing Internet address without the user's knowledge"

It would appear the Equation Group has successfully improved on these methodologies.  Here's hoping the Equation Group are the good guys.

Thanks,

Christopher

CEO Prevendra

GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
2/17/2015 | 9:47:32 AM
Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet
"This malware is extremely sophisticated. Its way more complex than anything we've seen. It's most likely a nation-state because there doesn't seem to be any connection with cybercrime,"

It appears that Big Brother has been watching for a very long time. I'm actually not surprised by the revelation of the existence of this group. For a long time, I had suspected that such an operation theoretically exists, and that the justification of their existence is simply national security. Nor am I surprised by the sophistication of their technology, right down to the hard drive OS itself. In fact, we will probably discover that the technology possibly includes infiltration of the computer BIOS. Call me paranoid, but as I look at it, nation-states have the resources and motivation to carry out these operations, and most certainly have been researching this for decades. I do like the name "Equation Group" though – very clever.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...