The Equation Group, also known in China as APT-C-40, is a highly sophisticated

threat actor In cybersecurity, a threat actor, bad actor or malicious actor is either a person or a group of people that take part in Malice (law), malicious acts in the cyber realm including: computers, devices, systems, or Computer network, networks. Threat ...

suspected of being tied to the Tailored Access Operations (TAO) unit of the United States

National Security Agency The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

(NSA).

Kaspersky Labs Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and ...

describes them as one of the most sophisticated advanced persistent threats in the world and "the most advanced (...) we have seen", operating alongside the creators of

Stuxnet Stuxnet is a Malware, malicious computer worm first uncovered on June 17, 2010, and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsibl ...

and

Flame A flame () is the visible, gaseous part of a fire. It is caused by a highly exothermic chemical reaction made in a thin zone. When flames are hot enough to have ionized gaseous components of sufficient density, they are then considered plasm ...

. Most of their targets have been in

Iran Iran, officially the Islamic Republic of Iran (IRI) and also known as Persia, is a country in West Asia. It borders Iraq to the west, Turkey, Azerbaijan, and Armenia to the northwest, the Caspian Sea to the north, Turkmenistan to the nort ...

Russia Russia, or the Russian Federation, is a country spanning Eastern Europe and North Asia. It is the list of countries and dependencies by area, largest country in the world, and extends across Time in Russia, eleven time zones, sharing Borders ...

Pakistan Pakistan, officially the Islamic Republic of Pakistan, is a country in South Asia. It is the List of countries and dependencies by population, fifth-most populous country, with a population of over 241.5 million, having the Islam by country# ...

Afghanistan Afghanistan, officially the Islamic Emirate of Afghanistan, is a landlocked country located at the crossroads of Central Asia and South Asia. It is bordered by Pakistan to the Durand Line, east and south, Iran to the Afghanistan–Iran borde ...

India India, officially the Republic of India, is a country in South Asia. It is the List of countries and dependencies by area, seventh-largest country by area; the List of countries by population (United Nations), most populous country since ...

Syria Syria, officially the Syrian Arab Republic, is a country in West Asia located in the Eastern Mediterranean and the Levant. It borders the Mediterranean Sea to the west, Turkey to Syria–Turkey border, the north, Iraq to Iraq–Syria border, t ...

and

Mali Mali, officially the Republic of Mali, is a landlocked country in West Africa. It is the List of African countries by area, eighth-largest country in Africa, with an area of over . The country is bordered to the north by Algeria, to the east b ...

. The name originated from the group's extensive use of encryption. By 2015, Kaspersky documented 500

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

infections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of thousands due to its self-terminating protocol. In 2017, WikiLeaks published a discussion held within the

CIA The Central Intelligence Agency (CIA; ) is a civilian foreign intelligence service of the federal government of the United States tasked with advancing national security through collecting and analyzing intelligence from around the world and ...

on how it had been possible to identify the group. One commenter wrote that "the Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools" used for hacking.

Discovery

At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015,

Kaspersky Lab Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky a ...

announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors. The malware used in their operations, dubbed EquationDrug and GrayFish, was found to be capable of reprogramming

hard disk drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating hard disk drive platter, pla ...

firmware In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computer, computing machinery. It includes the study and experimentation of algorithmic processes, and the development of both computer hardware, h ...

. Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group.

Probable links to Stuxnet and the NSA

In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "GrayFish", had similarities to a previously discovered loader, "Gauss", from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in

; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together".

Firmware

They also identified that the platform had at times been spread by

interdiction Interdiction is interception of an object prior to its arrival at the location where it is to be used in military, espionage, and law enforcement. Military In the military, interdiction is the act of delaying, disrupting, or destroying enemy f ...

(interception of legitimate CDs sent by a scientific conference organizer by

mail The mail or post is a system for physically transporting postcards, letter (message), letters, and parcel (package), parcels. A postal service can be private or public, though many governments place restrictions on private systems. Since the mid ...

), and that the platform had the "unprecedented" ability to infect and be transmitted through the

hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating hard disk drive platter, pla ...

of several major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat which would require access to the manufacturer's

source code In computing, source code, or simply code or source, is a plain text computer program written in a programming language. A programmer writes the human readable source code to control the behavior of a computer. Since a computer, at base, only ...

to achieve, and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on discussion forums.

Codewords and timestamps

The NSA codewords "STRAITACID" and "STRAITSHOOTER" have been found inside the malware. In addition,

timestamps A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolu ...

in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to an 08:00–17:00 (8:00 AM - 5:00 PM) workday in an Eastern United States time zone.

The LNK exploit

Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet's "privLib" in 2008. Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain Windows operating systems and attempts to spread laterally via network connection or USB storage. Kaspersky stated that they suspect that the Equation Group has been around longer than Stuxnet, based on the recorded compile time of Fanny.

Link to IRATEMONK

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Swed ...

claims that the Equation Group's malicious hard drive

TAO The Tao or Dao is the natural way of the universe, primarily as conceived in East Asian philosophy and religion. This seeing of life cannot be grasped as a concept. Rather, it is seen through actual living experience of one's everyday being. T ...

program "IRATEMONK", one of the items from the NSA ANT catalog exposed in a 2013 ''Der Spiegel'' article. IRATEMONK provides the attacker with the ability to have their

software application Application software is any computer program that is intended for end-user use not computer operator, operating, system administration, administering or computer programming, programming the computer. An application (app, application program, sof ...

persistently installed on desktop and laptop computers, despite the disk being formatted, its data erased or the operating system re-installed. It infects the hard drive firmware, which in turn adds instructions to the disk's

master boot record A master boot record (MBR) is a type of boot sector in the first block of disk partitioning, partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept ...

that causes the software to install each time the computer is booted up. It is capable of infecting certain hard drives from Seagate,

Maxtor Maxtor Corporation was an American computer hard disk drive manufacturer. Founded in 1982, it was the third largest hard disk drive manufacturer in the world before being purchased by Seagate Technology, Seagate in 2006. It was revived as a bra ...

Western Digital Western Digital Corporation is an American data storage company headquartered in San Jose, California. Established in 1970, the company is one of the world's largest manufacturers of hard disk drives (HDDs). History 1970s Western Digital ...

Samsung Samsung Group (; stylised as SΛMSUNG) is a South Korean Multinational corporation, multinational manufacturing Conglomerate (company), conglomerate headquartered in the Samsung Town office complex in Seoul. The group consists of numerous a ...

IBM International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...

Micron Technology Micron Technology, Inc. is an American producer of computer memory and computer data storage including dynamic random-access memory, flash memory, and solid-state drives (SSDs). It is headquartered in Boise, Idaho. Micron's consumer produc ...

and

Toshiba is a Japanese multinational electronics company headquartered in Minato, Tokyo. Its diversified products and services include power, industrial and social infrastructure systems, elevators and escalators, electronic components, semiconductors ...

2016 breach of the Equation Group

In August 2016, a hacking group calling itself " The Shadow Brokers" announced that it had stolen malware code from the Equation Group.

noticed similarities between the stolen code and earlier known code from the Equation Group malware samples it had in its possession including quirks unique to the Equation Group's way of implementing the RC6 encryption algorithm, and therefore concluded that this announcement is legitimate. The most recent dates of the stolen files are from June 2013, thus prompting

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is a former National Security Agency (NSA) intelligence contractor and whistleblower who leaked classified documents revealing the existence of global surveillance programs. Born in 1983 in Elizabeth ...

to speculate that a likely lockdown resulting from his leak of the NSA's global and domestic surveillance efforts stopped The Shadow Brokers' breach of the Equation Group. Exploits against Cisco Adaptive Security Appliances and Fortinet's firewalls were featured in some malware samples released by The Shadow Brokers. EXTRABACON, a

Simple Network Management Protocol Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically su ...

exploit against Cisco's ASA software, was a zero-day exploit as of the time of the announcement.

Juniper Junipers are coniferous trees and shrubs in the genus ''Juniperus'' ( ) of the cypress family Cupressaceae. Depending on the taxonomy, between 50 and 67 species of junipers are widely distributed throughout the Northern Hemisphere as far south ...

also confirmed that its NetScreen firewalls were affected. The EternalBlue exploit was used to conduct the damaging worldwide

WannaCry ransomware attack The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the form ...

2022 alleged Northwestern Polytechnical University hack

In 2022, an investigation conducted by the (CVERC) and computer security firm

Qihoo 360 Qihoo 360 (; approximate pronunciation CHEE-hoo), full name 360 Security Technology Inc., is a Chinese internet security company that has developed the antivirus software programs 360 Safeguard and 360 Mobile Safe, the Web browser 360 Secure Bro ...

attributed an extensive cyber attack on China's

Northwestern Polytechnical University Northwestern Polytechnical University (NWPU; ) is a public science and engineering university in Xi'an, Shaanxi, China. It is affiliated with the Ministry of Industry and Information Technology. The university is part of Project 211, Project 985 ...

(NPU) to the NSA's Office of Tailored Access Operations (

), compromising tens of thousands of network devices in China over the years and exfiltrating over 140GB of high-value data. The CVERC alleged that the attack involved a "longer period of preparatory work", setting up an anonymized attack infrastructure by leveraging

SunOS SunOS is a Unix-branded operating system developed by Sun Microsystems for their workstation and server computer systems from 1982 until the mid-1990s. The ''SunOS'' name is usually only used to refer to versions 1.0 to 4.1.4, which were based ...

zero-days A zero-day (also known as a 0-day) is a Vulnerability (computer security), vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigation, mitigating it. Until the vulnerability is remedied, threat act ...

to compromise institutions with large network traffic in 17 countries, 70% of which neighbored China. Those compromised machines were used as "springboards" to gain access into the NPU by leveraging man-in-the-middle and spear-phishing attacks against students and teachers. The report also claims the NSA had used two cover companies, "Jackson Smith Consultants" and "Mueller Diversified Systems", to purchase US-based IP addresses that would later be used in the FOXACID platform to launch attacks on the Northwestern. CVERC and 360 identified 41 different tools and malware samples during forensic analysis, many of which were similar or consistent with TAO weapons exposed in the Shadow Brokers leak. Investigators also attributed the attack to the Equation Group due to a mixture of attack times, human errors and American English keyboard inputs. Forensic analysis on one of the tools, called "NOPEN", which required human input, indicated that 98% of all attacks occurred during U.S. working hours, with no cyber-attacks being logged during weekends or during American holidays such as

Memorial Day Memorial Day (originally known as Decoration Day) is a federal holiday in the United States for mourning the U.S. military personnel who died while serving in the United States Armed Forces. It is observed on the last Monday of May. It i ...

and

Independence Day An independence day is an annual event memorialization, commemorating the anniversary of a nation's independence or Sovereign state, statehood, usually after ceasing to be a group or part of another nation or state, or after the end of a milit ...

References

External links

*
Equation Group: Questions and Answers
' by

, Version: 1.5, February 2015
A Fanny Equation: "I am your father, Stuxnet"
by

, February 2015
fanny.bmp source - at GitHub
November 30, 2020
Technical Write-up - at GitHub
February 10, 2021 {{Hacking in the 2010s Cyberwarfare in the United States National Security Agency operations Rootkits American advanced persistent threat groups Cybercrime in India Cyberwarfare in Iran India–United States military relations