‘Equation Group’ hackers attacked 30+ nations with NSA-style tech

Reuters / Mark Wilson / Pool
Russian security experts say that an advanced persistent threat team has infected thousands of computers in more than 30 countries using tools and tactics not unlike what’s already been attributed to the National Security Agency.

Kaspersky Labs of Moscow declined to specifically implicate the United States and its spy office in a report published by the security firm on Monday this week. The researchers, however, say that it’s been monitoring a group of computer hackers that have waged attacks since 2001 and that share similarities with operations of the NSA.

The team of malicious actors is dubbed the “Equation Group” in this week’s Kaspersky report, and the Russian researchers say its participants have waged cyber-attacks against government entities, military institutions, telecommunication firms and the energy sector, among others, pertaining to nations including Russia, Afghanistan, Pakistan, Syria and dozens more.

According to Kaspersky, the Equation Group has used a state-of-the-art suite of spy tools and hacks in order to infiltrate computer networks around the globe and infect those machines with viruses that give attackers complete access to machines. The viruses also allow them to embed malicious code and entry points deep into encrypted partitions that may be impossible to otherwise identify.

“As we uncover more of these cyber espionage operations we realize how little we understand about the true capabilities of these threat actors,” Costin Raiu, head of Kaspersky’s Global Research and Analysis Team, told Wired.

Yet while Kaspersky has not equated the Equation Group with any sort of division of the NSA, a former employee of the American spy agency told Reuters that the Russian researchers were correct in linking the contents of its latest report with the infamous surveillance office that has come under heavy attack since many of its secret operations were exposed by ex-contractor Edward Snowden starting in June 2013.

For its part, the NSA declined to comment on the report.

According to the research, the toolkit of exploits that is used by the Equation Group contains striking similarities with Stuxnet and Flame – powerful pieces of malware that for years have been attributed to campaigns waged by the US.

During the course of its research, Kaspersky discovered a worm that it believes could have served as a precursor to Stuxnet – malware widely believed to have been developed by the US and Israel to help sabotage Iran’s controversial nuclear program. Dubbed “Fanny,” the newly found worm had features and exploits that were not included in the first version of Stuxnet. They were only added later, possibly after the exploits were found to be effective.

After these new exploits were added, Stuxnet was able to quickly and more effectively pass through computers in Iran, even those that were not connected to the internet.

Researchers even found a new kind of platform – called “GrayFish” – that allows hackers to re-flash or alter the programming of a hard drive’s firmware with its own code, which Wired said turns the machine “into a slave of the attackers.” With this malware in place, hackers can retain access to a computer even if the owner reformates the hard drive or completely wipes the operating system and reinstalls it.

READ MORE: Infamous 'Regin' malware linked to Snowden's NSA files

According to Reuters, hacking a hard drive's firmware in this way would require those involved to have access to the drive's source code, which, when obtained, could point programmers towards exploitable weaknesses. It's currently unclear if technology companies such as Seagate, Western Digital, Toshiba, and about a dozen or so others shared their source code with the NSA at any point, but Raiu said there is “zero chance” that someone could reprogram firmware using public information.

Western Digital said it "has not provided its source code to government agencies," but other companies did not comment on the matter.

Meanwhile, former NSA analyst Vincent Liu said the government has ways to access source code if it deems that necessary.

"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" Liu told Reuters. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."

In some cases, such as with GrayFish, the Equation Group’s tools surpassed those of the “Regin” platform, also used to attack networks in numerous countries.

“It seems to me Equation Group are the ones with the coolest toys,” Raiu said to Ars Technica. "Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.”

READ MORE: Criminally insane irresponsibility led to modern ‘hacker’s paradise’

As advanced as these capabilities are, just as significant is that Kaspersky believes the recently discovered worms are not a true indication of the Equation Group’s current sophistication. None of the research dug up is dated to 2014, meaning that whatever tools the group is working with nowadays could be even stronger and more innovative than platforms like GrayFish.