The Equation Group, classified as an

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...

, is a highly sophisticated

threat actor A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe in ...

suspected of being tied to the

Tailored Access Operations The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, ...

(TAO) unit of the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territori ...

National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collect ...

(NSA).

Kaspersky Labs Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in t ...

describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced ... we have seen", operating alongside the creators of

Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing subs ...

and

Flame A flame (from Latin '' flamma'') is the visible, gaseous part of a fire. It is caused by a highly exothermic chemical reaction taking place in a thin zone. When flames are hot enough to have ionized gaseous components of sufficient density they ...

. Most of their targets have been in

Iran Iran, officially the Islamic Republic of Iran, and also called Persia, is a country located in Western Asia. It is bordered by Iraq and Turkey to the west, by Azerbaijan and Armenia to the northwest, by the Caspian Sea and Turkmeni ...

Russia Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eig ...

Pakistan Pakistan ( ur, ), officially the Islamic Republic of Pakistan ( ur, , label=none), is a country in South Asia. It is the world's fifth-most populous country, with a population of almost 243 million people, and has the world's second-lar ...

Afghanistan Afghanistan, officially the Islamic Emirate of Afghanistan,; prs, امارت اسلامی افغانستان is a landlocked country located at the crossroads of Central Asia and South Asia. Referred to as the Heart of Asia, it is bordere ...

India India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...

, Syria, and

Mali Mali (; ), officially the Republic of Mali,, , ff, 𞤈𞤫𞤲𞥆𞤣𞤢𞥄𞤲𞤣𞤭 𞤃𞤢𞥄𞤤𞤭, Renndaandi Maali, italics=no, ar, جمهورية مالي, Jumhūriyyāt Mālī is a landlocked country in West Africa. Mal ...

. The name originated from the group's extensive use of encryption. By 2015, Kaspersky documented 500 malware infections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of thousands due to its self-terminating protocol. In 2017, WikiLeaks published a discussion held within the

CIA The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian foreign intelligence service of the federal government of the United States, officially tasked with gathering, processing, ...

on how it had been possible to identify the group. One commenter wrote that "the Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools" used for hacking.

Discovery

At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors. The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming

hard disk drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magne ...

firmware. Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group.

Probable links to Stuxnet and the NSA

In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "Grayfish", had similarities to a previously discovered loader, "Gauss", from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in

; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together".

Firmware

They also identified that the platform had at times been spread by

interdiction Interdiction is a military term for the act of delaying, disrupting, or destroying enemy forces or supplies en route to the battle area. A distinction is often made between strategic and tactical interdiction. The former refers to operations whose ...

(interception of legitimate CDs sent by a scientific conference organizer by

mail The mail or post is a system for physically transporting postcards, letters, and parcels. A postal service can be private or public, though many governments place restrictions on private systems. Since the mid-19th century, national postal sys ...

), and that the platform had the "unprecedented" ability to infect and be transmitted through the

hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magne ...

firmware of several major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat which would require access to the manufacturer's

source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the w ...

to achieve, and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on

discussion forum An Internet forum, or message board, is an online discussion site where people can hold conversations in the form of posted messages. They differ from chat rooms in that messages are often longer than one line of text, and are at least tempora ...

Codewords and timestamps

The NSA codewords "STRAITACID" and "STRAITSHOOTER" have been found inside the malware. In addition,

timestamps A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolut ...

in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 (8:00 AM - 5:00 PM) workday in an Eastern United States time zone.

The LNK exploit

Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet's "privLib" in 2008. Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain Windows operating systems and attempts to spread laterally via network connection or

USB storage The USB mass storage device class (also known as USB MSC or UMS) is a set of computing communications protocols, specifically a USB Device Class, defined by the USB Implementers Forum that makes a USB device accessible to a host computing devic ...

. Kaspersky stated that they suspect that the Equation Group has been around longer than Stuxnet, based on the recorded compile time of Fanny.

Link to IRATEMONK

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Sweden, ...

claims that the Equation Group's malicious hard drive firmware is

TAO ''Tao'' or ''Dao'' is the natural order of the universe, whose character one's intuition must discern to realize the potential for individual wisdom, as conceived in the context of East Asian philosophy, East Asian religions, or any other phil ...

program "IRATEMONK", one of the items from the

NSA ANT catalog The ANT catalog (or TAO catalog) is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine ''Der Spiegel'' in December 2013. Forty-nine catalog ...

exposed in a 2013 ''Der Spiegel'' article. IRATEMONK provides the attacker with an ability to have their

software application Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...

persistently installed on desktop and laptop computers, despite the disk being formatted, its data erased or the operating system re-installed. It infects the hard drive firmware, which in turn adds instructions to the disk's master boot record that causes the software to install each time the computer is booted up. It is capable of infecting certain hard drives from Seagate, Maxtor,

Western Digital Western Digital Corporation (WDC, commonly known as Western Digital or WD) is an American computer drive manufacturer and data storage company, headquartered in San Jose, California. It designs, manufactures and sells data technology produc ...

Samsung The Samsung Group (or simply Samsung) ( ko, 삼성 ) is a South Korean multinational manufacturing conglomerate headquartered in Samsung Town, Seoul, South Korea. It comprises numerous affiliated businesses, most of them united under the ...

, IBM,

Micron Technology Micron Technology, Inc. is an American producer of computer memory and computer data storage including dynamic random-access memory, flash memory, and USB flash drives. It is headquartered in Boise, Idaho. Its consumer products, including ...

and

Toshiba , commonly known as Toshiba and stylized as TOSHIBA, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. Its diversified products and services include power, industrial and social infrastructure system ...

2016 breach of the Equation Group

In August 2016, a hacking group calling itself "

The Shadow Brokers The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of ...

" announced that it had stolen malware code from the Equation Group. Kaspersky Lab noticed similarities between the stolen code and earlier known code from the Equation Group malware samples it had in its possession including quirks unique to the Equation Group's way of implementing the

RC6 In cryptography, RC6 (Rivest cipher 6) is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard (AES) competition. ...

encryption algorithm, and therefore concluded that this announcement is legitimate. The most recent dates of the stolen files are from June 2013, thus prompting

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...

to speculate that a likely lockdown resulting from his leak of the NSA's global and domestic surveillance efforts stopped The Shadow Brokers' breach of the Equation Group. Exploits against Cisco Adaptive Security Appliances and

Fortinet Fortinet is an American multinational corporation headquartered in Sunnyvale, California. The company develops and sells cybersecurity solutions, such as physical firewalls, antivirus software, intrusion prevention systems, and endpoint secur ...

's firewalls were featured in some malware samples released by The Shadow Brokers. EXTRABACON, a

Simple Network Management Protocol Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically ...

exploit against Cisco's ASA software, was a zero-day exploit as of the time of the announcement. Juniper also confirmed that its NetScreen firewalls were affected. The

EternalBlue EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. On May 12, 2017, the ...

exploit was used to conduct the damaging worldwide

WannaCry ransomware attack The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitco ...

References

External links

*
Equation Group: Questions and Answers
' by

Kaspersky Lab Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...

, Version: 1.5, February 2015
A Fanny Equation: "I am your father, Stuxnet"
by

, February 2015
fanny.bmp source - at GitHub
November 30, 2020
Technical Write-up - at GitHub
February 10, 2021 {{Hacking in the 2010s Cyberwarfare in the United States National Security Agency operations Rootkits American advanced persistent threat groups Cybercrime in India Cyberwarfare in Iran