A shadow group of NSA-linked hackers dubbed the “Equation group” has infected computers around the world with sophisticated spyware in an international espionage campaign with origins dating back as early as 1996, according to an analysis by Kaspersky Lab and subsequent reports which may shed more light on how the NSA hacked North Korea’s computer network prior to the cyber-attack on Sony.
Russian-based cybersecurity firm Kaspersky published a report on Monday linking the Equation group to multiple hacks which it referred to as computer networking exploitation (CNE) operations. The report indicated that the group is likely one of the most sophisticated hacking groups in the world and that they’re “the most advanced threat actor” the company’s researchers have come across.
The equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.
In one of the group’s sophisticated spying programs, it hid spying software deep within hard drives made by top manufacturers including Western Digital, Seagate, Toshiba, IBM, Maxtor, Samsung, and others with over a dozen in total, according to Kaspersky.
The firm’s analysis indicated that the ability to infect hard disk firmware with malware, known only as nls_933w.dll, capable of persisting through machine wipes to re-infect targeted systems was a hacking breakthrough. Once the malware has been installed, it’s impossible to remove as neither disk formatting nor reinstalling the operating system can remove the sophisticated malware which Kaspersky claims required access to firmware source code, a carefully guarded secret protected by intellectual property laws.
Reuters reported that a former National Security Agency employee had confirmed Kaspersky’s analysis was correct, indicating that those in the spy agency valued these espionage programs as highly as Stuxnet — the virus which reportedly targeted Iran’s uranium enrichment facility, ruining nearly one-fifth of the country’s nuclear centrifuges.
Another former intelligence officer confirmed to Reuters that the NSA had developed the prized technique of concealing spyware in hard drives.
The global hard disk infection aspect of the group’s spying campaign infected potentially tens of thousands of computers in governments, telecom providers, militaries, and mass media organizations among others in more than 30 countries.
In total, researchers at the cyber-security documented 500 infections by Equation spanning across 42 countries with the following countries topping the company’s list:
- Russian Federation
Medium-level infection rates were found in Lebanon, Yemen, United Arab Emirates, Algeria, Kenya, United Kingdom, Libya, Mexico, Qatar, and Egypt.
Kaspersky declined to publicly name the country behind the spying campaign, but indicated that it was closely linked to Stuxnet.
The NSA is aware of Kaspersky’s report but indicated that it wouldn’t publicly comment on it, according to NSA spokeswoman Vanee Vines.
The Equation moniker is derived from what researchers referred to as the groups’ “love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations.” In specific, the group uses RC5 encryption throughout their malware and RC6, RC4, AES and other cryptographic functions and hashes have been found in some of the most recent modules.
The report identified several malware platforms used exclusively by the Equation hackers which consisted of the following:
- DoubleFantasy – A Trojan virus used for target validation. Once a target had been confirmed, it is then upgraded to a more sophisticated malware platform such as EquationDrug or GrayFish. Essentially, the virus acts both a target validator as well as a foothold which can be leveraged by the attackers to install more sophisticated malware by upgrading to the EquationDrug and GrayFish platforms.
- EquationDrug – Complex attack platform which supports a module plugin system which can be dynamically uploaded and unloaded by the attackers. Also known as Equestre.
- TripleFantasy – A full-featured backdoor which is sometimes used in tandem with GrayFish. Researchers note that it looks like an upgrade of DoubleFantasy and is possibly a more recent validator-style plugin.
- GrayFish – The most sophisticated attack platform created by the group. GrayFish relies on a bootkit to gain execution on OS startup and resides entirely in the registry.
- Fanny – Worm made in 2008 and used in information gathering against targets in the Middle East and Asia. Has air-gap ability which allows it to target physically isolated systems, mapping air-gapped networks. Researchers note that some victims of Fanny appeared to have been upgraded first to DoubleFantasy, and then to EquationDrug. Used two zero-day exploits to spread, which were later found in Stuxnet.
- EquationLaser – Early implant from the group designed to be compatible with Windows 95 and 98; was in use around 2001-2004 and made sometime between DoubleFantasy and EquationDrug.
GrayFish appears to have been designed to be invisible to antivirus products as there are no malicious executable modules on the filesystem of an infected system.
Fanny used the Stuxnet LNK exploit and USB sticks to spread. For privilege escalation, it used a since patched vulnerability (Microsoft MS09-025) which was also used in one of the early versions of Stuxnet. Kaspersky points out that it’s important to note that these two exploits were in use in Fanny prior to their integration into Stuxnet, which indicates that the group had access to the zero-day exploits before the Stuxnet group and that the similar type of usage of both exploits together in different worms around the same indicates that the Equation group and the developers of the Stuxnet virus are “either the same or working closely together.”
Fanny appears to have been primarily designed to map air-gapped networks. An air gap or air wall is a network security measure which entails the physical isolation of secure networks from insecure networks. In order to traverse this gap, Fanny infects USB sticks and creates hidden storage areas on the sticks to transfer data and commands between infected systems and command and control (C&C).
In October of 1997, the Federal Bureau of Investigation (FBI) implemented a software program known at the time as Carnivore, later renamed to DCS1000, which was a customizable packet sniffer designed to monitor email and other electronic communications. By 2005, DCS1000 was replaced with improved commercial software.
The United Kingdom’s spy agency, the GCHQ, was found to have acted illegally in a landmark legal ruling which now requires them to inform those requesting the information whether the agency has spied on them in the past.
The ruling comes as a result of the GCHQ having received data from the NSA’s surveillance dragnets. This is only applicable to retroactive snooping by the British, which is what the Investigatory Powers Tribunal found the GCHQ to have improperly engaged in. Which means, you can’t use this to ask whether the U.K.’s intelligence agencies are currently spying on you. It’s also only applicable to the NSA’s Prism surveillance program which collects data directly from U.S. Internet companies and through tapping directly into Internet cables. It also only pertains to the data from these programs which was passed onto British intelligence, subsequently excluding spying initiated by the GCHQ.
You don’t have to be British or reside in the United Kingdom to file a request as it’s open to anyone.
Kaspersky analysts discovered more than 300 domain names connected with Equation with the oldest one having been registered in 1996, however, all of the domains but three were no longer in use by the group.
In other hacking related news here on Immortal News, bank hackers stole millions, maybe billions of dollars in what might be an ongoing heist.
Do you think world-class Equation hackers and the NSA are one in the same?