A secretive hacking collective that has been active for almost two decades has allegedly been uncovered by Kaspersky Lab. Dubbed the “Equation Group,” because of their use of encryption algorithms and obfuscation methods, the hackers are apparently unique in that they created highly-professional tools and used “classic spying techniques” to retrieve data and affect systems used by high-value targets, such as governments, major national organizations, and other political targets.
The Equation Group is said to have created a number of different malware tools, and while some malware provided backdoors into systems, some others has very specific jobs. One identified as “DoubleFantasy” was used as a validator, checking that the computer was being used by an intended target before loading up more malware. Another was created as a worm in 2008 and used two zero-day exploits to infect systems in the Middle East and Africa, with the same exploits later used by Stuxnet.
The group also used novel methods to infect their targets with the malware. Researchers discovered that some malware infected the firmware of a connected hard drive, allowing the group to store retrieved data or malware for later use on the drive in secret. By infecting the firmware, it also made detecting the malware almost impossible, and also allowed for it to persist even after the drive has been formatted and the operating system reinstalled. The list of drives found containing the malware includes those created by Western Digital, Seagate, Toshiba, as well as other mainstream hard drive producers.
Screenshot of forensics software showing hard drive manufacturers infectable with malware
One malware also allowed the team to infiltrate “air-gapped” networks kept separate from the Internet. The malware would create a hidden storage area on a connected USB stick, which would be used to collect and store details for another offline computer upon connection. When the stick is able to access the Internet again, the hidden data is sent to the group’s servers, with new instructions to be carried out collected at the same time.
The group also worked offline as well, with Kaspersky claiming that participants at a scientific conference in Houston were provided copies of conference materials on CDs, which also contained malware. It is still unknown how the CDs were interfered with, and the conference organizers were believed to have been innocent parties.
While the majority of Kasperky’s findings relate to Windows operating systems, there are a few signs that other platforms may have also been targeted. Some callbacks mention OS X 10.8.3, with one malicious forum injection actually displayed different HTML code to iPhones than to others.
The group targeted thousands of victims in more than 30 countries, with notable locations including Iraq, Iran, Russia, Syria, Afghanistan, Kazakhstan, Somalia, the UAE, Libya, and Pakistan, as well as Europe, the United Kingdom, and the United States. Outside of governments and diplomatic institutions, the victims were found to have involvement in telecommunications, aerospace, energy, nuclear research, oil and gas, nanotechnology, mass media, transportation, financial markets, and cryptographic technology. Attacks were also made against members of the military, as well as Islamist activists and scholars.
Kaspersky stopped short of identifying any government that could be behind Equation Group. A source of Reuters said to be a former National Security Agency (NSA) employee claims the agency is operating the group, and that it valued the program as much as Stuxnet. A second source also claims the NSA had developed the hard drive concealment technique, but did not know if it had actually been used by the agency.
The NSA declined to comment to the report.
