Does it Equate?

The Moscow-based security company, Kaspersky Lab, describes the Equation Group as a “threat actor that surpasses anything known in terms of complexity and sophistication of techniques” and “the most advanced threat actor we have seen.” [1]

What Is In A Name?

Kaspersky’s Lab named the group “Equation” due to its preferred use of sophisticated encryption algorithms and obfuscation strategies.  The Equation Group uses specific implementation of the RC5 encryption algorithm as well as RC6, RC4, and AES.  According to Kaspersky, their tools are complex and expensive to develop, and they operate in an extremely professional manner.   Based on these factors, many experts including Kaspersky’s Lab theorize that the Equation Group has a nation-state backer due to its technical ability and resources [1].    The group has a large command and control network infrastructure located in the United States, the United Kingdom, Panama, Costa Rica, Colombia, Germany, and the Netherlands, more than 100 servers and 300 domains. [2]

Equation Group Targets

There have been over five hundred known victims of the Equation Group, however, the number might be higher as their infections are known to include a self-destruct mechanism that wipes any record of the infection on the victim’s system.  Their attacks are all very specific and chosen with “surgical precision” as it uses a validator malware to confirm the identity of the personal computer before deploying their intended malware.  The preferred targets of the Equation Group are located mostly in Iran, Russia, Pakistan, Afghanistan, India, and China.   They target the military, telecommunications, government and diplomatic institutions, Islamic activists and scholars, businesses working on encryption technology, and research institutions (including those that conduct nanotechnology and nuclear research). [1]

Tools of the Trade

The Equation Group uses a vast arsenal of “implants” aka Trojans, including EQUATIONLASER, EQUATION DRUG, DOUBLEFANTASY, TRIPLEFANTASY, FANNY and GRAYFISH.  Codenames for their tools and implants include SKYHOOKCHOW, UR, KS, SF, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, DESERTWINTER and GROK.

Cybersecurity experts distinguish the Equation Group for their use of a module known as “nls_933w.dll”.  This module allows them to reprogram a hard drive’s firmware.  Drives made by Seagate Technology, Western Digital Technologies, Hitachi, Samsung Electronics, Toshiba, Maxtor, and IBM are all known to be susceptible [1] [3] .   The Equation Group was also known to use interdiction techniques in which they would intercept physical items (like CD-ROMs) and replace them with Trojanized versions [1].  Most of the malware is designed to work on Microsoft’s Windows operating system, however, there have been speculations that there are DOUBLEFANTASY Mac OS X versions [4].  

Command & Control Servers:  A computer that issues directives to digital devices that are infected with rootkits or various other types of malware.  Often called a botnet with network nodes (often referred to as zombies), they are used to create networks of infected devices that are used to carry out DDoS attacks, steal data, delete data or encrypt data [4].  

FANNY:  A computer worm that was created in 2008 and it was distributed throughout the Middle East and Asia.  It used two zero-day exploits and was spread through the Stuxnet LNK exploit and USB sticks plugged into air-gap systems.  The infected USB stick contained a hidden storage area that contained the malware and where information was collected.  When the USB detected an internet connection and was plugged into a computer infected with fanny, it would send the stolen data to the command and control servers (C&C).  The malware also enabled the attackers to run commands on air-gapped networks by recognizing commands and executing them.   It was theorized to have been complied in the summer of 2008 and it was first discovered later that year.  It took advantage of a vulnerability patched by the Microsoft bulletin MS09-025.  The purpose of the worm was to map air gapped networks then pass data back and forth [1].  

DOUBLEFANTASY:  An implant that confirms their victims and it serves two purposes; confirms if the victim is worth pursuing or whether to keep a backdoor for future use.  Once the target is confirmed and deemed worthy, another platform is deployed such as GRAYFISH or EQUATIONDRUG.   TRIPLEFANTASY appears to be an upgrade to DOUBLEFANTSY and is used in tandem with GRAYFISH [5].

“DoubleFantasy keeps an internal version number in its configuration block, together with other data such as legitimate hosts used to validate the internet connection (e.g.: microsoft.com, yahoo.com) and C&Cs" [5]

EQUATIONDRUG (or EQUESTRE), which dates back to 2003 is a Trojan that conducts cyber espionage activities by deploying modules on machines of selected victims.  It is deployed through plugins (or modules) that are pre-built with a set of plugins that support cyber espionage functions; like file collection and taking screenshots.  The stolen data is stored inside a custom-encrypted virtual file system before it is sent to the C&C servers.   Subsequently, the module plugin system can also be dynamically uploaded and unloaded as required.  The platform includes executables, configurations and protected (and hidden) storage locations, and resembles a mini-operating system with kernel-mode and user-mode components.   It also includes drivers, a platform core (orchestrator) and plugins (that have a unique ID and version number that defines a set of functions).  

GrayFish is considered the group’s most sophisticated attack platforms.  The virus sits in the registry waiting for the computer to boot.  When the computer boots, it hijacks the operating system by injecting its code into the boot record.  This allows the attacker to assume complete control of the computer, unbeknown to the user, while they siphon data and monitor activities.   It was developed between 2008 and 2013, and is compatible with Microsoft’s operation systems from Windows NT 4.0 to Windows 7 and 8 (both 32-bit and 64 bit versions) [5].

The Masked Unmasked?

Theories suggest the Equation Group is linked to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA) due to the use of similar techniques.  For example, its use of Fanny, a worm that shares similarities with Stuxnet.  Another piece of evidence is that in the leaked top-secret NSA documents by Edward Snowden, it mentions a key logger by the name of Grok, who is also mentioned in the Equation team’s source code [1].  

In 2016, the hacking group “The Shadow Brokers” claimed to have hacked the Equation Group and stolen malware code.   Analysis of the code suggested similarities between the stolen code and the Equation Group malware samples therefore it was deemed legitimate.  The blog post was removed from Tumblr but cached versions were still available at the time.  The data obtained by the group contained batch scripts, and poorly coded python scripts of hacking tools that dated back to 2010.  While impossible to say for certain that the hacked data came from the Equation Group, many experts including a research named Bencsath Boldizar (from the Hungary-based CrySYs) claimed that by judging the volume and peeps into the sample that he would guess that it most likely was part of the NSA toolset.  

The Risk Based Security firm noted that an exploit labeled “ESPL: ESCALATEPLOWMAN” contained an IP address owned by the US Department of Defense.  Many researchers doubt Shadow Brokers actually breached the Equation Groups networks through a direct hack but rather through a breach of a command-and-control channel server.  Some researchers have even cautioned that it may have been a so-called false-flag operation in which evidence is manufactured in order to falsely implicate another, a regular occurrence in hacking campaigns.  In any case, it is speculated that the purpose of the breach was to discredit and embarrass the US government and the intelligence apparatus. [6]

References:      

[1]          Kaspersky Lab,    "Equation Group: The Crown Creator of Cyber-Espionage," 16 02    2015. [Online]. Available:    https://www.kaspersky.com/about/press-releases/2015_equation-group-the-crown-creator-of-cyber-espionage.    [Accessed 30 09 2018].            

[2]          T. Magee, "The    most notorious hacker groups," 20 06 2018. [Online]. Available:    https://www.computerworlduk.com/security/most-notorious-hacker-groups-3679258/.    [Accessed 30 09 2018].            

[3]          "Destroying    your hard drive is the only way to stop this super-advanced malware,"    17 02 2015. [Online]. Available:    https://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html.    [Accessed 30 09 2018].            

[4]          M. Rouse,    "Definition: Command-and-control server (C&C server)," n.d..    [Online]. Available:    https://whatis.techtarget.com/definition/command-and-control-server-CC-server.    [Accessed 30 09 2018].            

[5]          GReAT,    "EQUATION GROUP: QUESTIONS & ANSWERS," KASPERSKY Lab, Moscow,    2015.            

[6]          D. Goodin,    "Group claims to hack NSA-tied hackers, posts exploits as proof,"    15 08 2016. [Online]. Available:    https://arstechnica.com/information-technology/2016/08/group-claims-to-hack-nsa-tied-hackers-posts-exploits-as-proof/.    [Accessed 30 09 2018].            

[7]          D. Gilbert,    "Equation Group: Meet the NSA 'gods of cyber espionage'," 17 02    2015. [Online]. Available:    http://www.ibtimes.co.uk/equation-group-meet-nsa-gods-cyber-espionage-1488327.    [Accessed 06 09 2016].            

[8]          GReAT,    "Equation: The Death Star of Malware Galaxy," 16 02 2015.    [Online]. Available:    https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/.    [Accessed 30 09 2018].