Equation Group Resurfaces


Back in February 2015, Moscow-headquartered global cybersecurity firm, Kaspersky Lab issued a statement on their website naming an incredibly sophisticated threat actor its researchers had discovered, which according to the Kaspersky Lab, had been active for the last two decades.  Kaspersky’s researchers named it the “Equation Group” because of its advanced obfuscation techniques and penchant for encryption algorithms.

Kaspersky Lab documented 500 infections by Equation Group in 42 countries, a number they said was likely to only be a tiny percentage of the total because of an in-built self-destruct mechanism within the malware the group used. Thousands of groups worldwide have purportedly been targeted, including government and diplomatic institutions, oil and gas, military, mass media, financial institutions and companies.

Technical feats the Equation Group were deemed capable of include the employment of over 300 domains and 100 servers worldwide to host a sprawling command-and-control infrastructure; USB stick based reconnaissance malware used to map air-gapped networks which are so sensitive they aren’t even connected to the Internet (known as “the Fanny worm”); and the use of virtual file systems, a feature also employed by the highly advanced Regin malware (Edward Snowden documents indicated the NSA used Regin to infect partly state-owned Belgian firm Belgacom).

Kaspersky Lab researchers noted that the group is unique in almost every aspect of its endeavours, using highly expensive and complicated tools to infect victims, hide activity and retrieve data. The group is able to reprogram hard drive firmware on over a dozen HDD brands by rewriting the hard drive’s operating system. If malware gets into firmware, it can “resurrect” itself indefinitely and is incredibly hard to detect. It creates an invisible, persistent area hidden within a computer’s hard drive where exfiltrated information is saved that the attacks can retrieve. Costin Raiu, Director of Kaspersky Lab’s Global Research and Analysis Team, noted that this allows “the ability to capture the encryption password and save it into this hidden area.”

According to the Kaspersky Lab, there are also links indicating the Equation Group’s interaction with other powerful threat actors, including the Stuxnet and Flame operators, sharing some of its techniques with them after their original use by the Equation Group.

Back in February 2015, Kaspersky researchers concluded that Equation Group was the most sophisticated computer attack group in the world, comparing it to the Death Star in the APT universe, and presented a report at the Kaspersky Security Analyst Summit held in Cancun, Mexico in February 2015, stopping just short of saying Equation Group was the handiwork of NASA; yet presenting evidence that strongly implicated the US spy agency.

A Mounting Controversy

Early last month, The Wall Street Journal published a bombshell article accusing the Russian government of turning Kaspersky antivirus software into a tool for spying and thereby gaining classified NSA data. It was claimed that in 2015 Russian hackers targeted an NSA employee who took home classified materials while working for NSA’s elite hacking tools development unit and opened them on his/her home computer which was running a Kaspersky antivirus. The report said that the NSA files were initially identified through the Kaspersky antivirus software and then hacked. The hacked data included information on how the US “penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the US.” The stolen data could theoretically be used against US-based systems and help the Russian government defend against US cyber-attacks.

The question for Kaspersky Lab was what role did it play in the hack, if any?

The US government has not offered any concrete evidence that Kaspersky is in collusion with the Kremlin, however, in September, the Department of Homeland Security ordered all US federal agencies to shutter use of Kaspersky software within 90 days, claiming the software “can be exploited by malicious cyber actors to comprimise those information systems”.

Kaspersky’s Account of Events

CEO of Kaspersky Labs, Eugene Kaspersky, immediately said they were very concerned about possible breach of their products and the use of their software in the hack of the NSA employee. However, Kaspersky himself has since written that he puts the probability of an actual hack by the Kremlin of his software “at zero”.

However, he also recently did release a statement detailing how the Kaspersky Lab came to possess Equation Group malware in the first place in response to recent news articles claiming that the vendor had NSA cyberweapons on its network in 2015.

It’s a complicated situation in which both the government and the Kaspersky Lab have tip-toed around Equation Group since the controversy started earlier this year. The US government doesn’t want to officially acknowledge that the NSA creates and uses malware worldwide, and Kaspersky doesn’t want to further inflame the situation by implicating NSA further. However, as a result of increasing political pressure and government-wide bans on its products, the Kaspersky Lab had to do something, so offered an explanation for why it had possession of Equation Group malware in the first place.

Kaspersky’s statement claims that in 2014 its antivirus software scanned a system and discovered a simple backdoor in a product-key generator for a pirated version of Microsoft Office (assumed to belong to the NSA employee who took the confidential materials home). The antivirus program furthermore detected a 7-Zip archive of “previously unknown” malware, which the antivirus program via Kaspersky Security Network (KSN) relayed to the company for further analysis.

Nevertheless, in a recent article on the continued controversy, SearchSecurity’s editor Rob Wright, details various lingering questions and concerns for the Kaspersky and the US government; concluding by stating, “the company and the government continue to withhold vital information that could clear up this mess, both will look increasingly bad as this drags on.”

Scroll to Top