The Equation Group, classified as an

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term m ...

, is a highly sophisticated threat actor suspected of being tied to the

Tailored Access Operations The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, ...

(TAO) unit of the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 U.S. state, states, a Washington, D.C., federal district, five ma ...

National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collectio ...

(NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced ... we have seen", operating alongside the creators of

Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition ( SCADA) systems and is believed to be responsible for causing subs ...

and

Flame A flame (from Latin '' flamma'') is the visible, gaseous part of a fire. It is caused by a highly exothermic chemical reaction taking place in a thin zone. When flames are hot enough to have ionized gaseous components of sufficient density the ...

. Most of their targets have been in

Iran Iran, officially the Islamic Republic of Iran, and also called Persia, is a country located in Western Asia. It is bordered by Iraq and Turkey to the west, by Azerbaijan and Armenia to the northwest, by the Caspian Sea and Turkm ...

Russia Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eigh ...

Pakistan Pakistan ( ur, ), officially the Islamic Republic of Pakistan ( ur, , label=none), is a country in South Asia. It is the world's List of countries and dependencies by population, fifth-most populous country, with a population of almost 24 ...

Afghanistan Afghanistan, officially the Islamic Emirate of Afghanistan,; prs, امارت اسلامی افغانستان is a landlocked country located at the crossroads of Central Asia and South Asia. Referred to as the Heart of Asia, it is bord ...

India India, officially the Republic of India ( Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the ...

, Syria, and

Mali Mali (; ), officially the Republic of Mali,, , ff, 𞤈𞤫𞤲𞥆𞤣𞤢𞥄𞤲𞤣𞤭 𞤃𞤢𞥄𞤤𞤭, Renndaandi Maali, italics=no, ar, جمهورية مالي, Jumhūriyyāt Mālī is a landlocked country in West Africa. Ma ...

. The name originated from the group's extensive use of encryption. By 2015, Kaspersky documented 500

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...

infections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of thousands due to its self-terminating protocol. In 2017, WikiLeaks published a discussion held within the

CIA The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian foreign intelligence service of the federal government of the United States, officially tasked with gathering, processing, ...

on how it had been possible to identify the group. One commenter wrote that "the Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools" used for hacking.

Discovery

At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors. The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming

hard disk drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magn ...

firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide ...

. Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group.

Probable links to Stuxnet and the NSA

In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "Grayfish", had similarities to a previously discovered loader, "Gauss", from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in

; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together".

Firmware

They also identified that the platform had at times been spread by interdiction (interception of legitimate CDs sent by a scientific conference organizer by

mail The mail or post is a system for physically transporting postcards, letter (message), letters, and parcel (package), parcels. A postal service can be private or public, though many governments place restrictions on private systems. Since the mid ...

), and that the platform had the "unprecedented" ability to infect and be transmitted through the

hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magne ...

of several major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat which would require access to the manufacturer's

source code In computing, source code, or simply code, is any collection of code, with or without comment (computer programming), comments, written using a human-readable programming language, usually as plain text. The source code of a Computer program, p ...

to achieve, and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on discussion forums.

Codewords and timestamps

The NSA codewords "STRAITACID" and "STRAITSHOOTER" have been found inside the malware. In addition, timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 (8:00 AM - 5:00 PM) workday in an Eastern United States time zone.

The LNK exploit

Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet's "privLib" in 2008. Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain Windows operating systems and attempts to spread laterally via network connection or USB storage. Kaspersky stated that they suspect that the Equation Group has been around longer than Stuxnet, based on the recorded compile time of Fanny.

Link to IRATEMONK

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Swed ...

claims that the Equation Group's malicious hard drive

is TAO program "IRATEMONK", one of the items from the NSA ANT catalog exposed in a 2013 ''Der Spiegel'' article. IRATEMONK provides the attacker with an ability to have their

software application Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...

persistently installed on desktop and laptop computers, despite the disk being formatted, its data erased or the operating system re-installed. It infects the hard drive firmware, which in turn adds instructions to the disk's

master boot record A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MB ...

that causes the software to install each time the computer is

booted up "Booted"is a 1952 song by Roscoe Gordon. The single was released on both the RPM and Chess labels, and was the most successful of the four chart entries of Gordon's career. "Booted" went to number one on the US ''Billboard'' R&B chart A ch ...

. It is capable of infecting certain hard drives from Seagate,

Maxtor Maxtor was an American computer hard disk drive manufacturer. Founded in 1982, it was the third largest hard disk drive manufacturer in the world before being purchased by Seagate in 2006. History Overview In 1981, three former IBM employ ...

Western Digital Western Digital Corporation (WDC, commonly known as Western Digital or WD) is an American computer drive manufacturer and data storage company, headquartered in San Jose, California. It designs, manufactures and sells data technology products ...

Samsung The Samsung Group (or simply Samsung) ( ko, 삼성 ) is a South Korean multinational manufacturing conglomerate headquartered in Samsung Town, Seoul, South Korea. It comprises numerous affiliated businesses, most of them united under the ...

, IBM,

Micron Technology Micron Technology, Inc. is an American producer of computer memory and computer data storage including dynamic random-access memory, flash memory, and USB flash drives. It is headquartered in Boise, Idaho. Its consumer products, including ...

and

Toshiba , commonly known as Toshiba and stylized as TOSHIBA, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. Its diversified products and services include power, industrial and social infrastructure systems ...

2016 breach of the Equation Group

In August 2016, a hacking group calling itself " The Shadow Brokers" announced that it had stolen malware code from the Equation Group. Kaspersky Lab noticed similarities between the stolen code and earlier known code from the Equation Group malware samples it had in its possession including quirks unique to the Equation Group's way of implementing the RC6 encryption algorithm, and therefore concluded that this announcement is legitimate. The most recent dates of the stolen files are from June 2013, thus prompting

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and s ...

to speculate that a likely lockdown resulting from his leak of the NSA's global and domestic surveillance efforts stopped The Shadow Brokers' breach of the Equation Group. Exploits against Cisco Adaptive Security Appliances and

Fortinet Fortinet is an American multinational corporation headquartered in Sunnyvale, California. The company develops and sells cybersecurity solutions, such as physical firewalls, antivirus software, intrusion prevention systems, and endpoint secu ...

's firewalls were featured in some malware samples released by The Shadow Brokers. EXTRABACON, a

Simple Network Management Protocol Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically ...

exploit against Cisco's ASA software, was a zero-day exploit as of the time of the announcement. Juniper also confirmed that its NetScreen firewalls were affected. The

EternalBlue EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. On May 12, 2017, the ...

exploit was used to conduct the damaging worldwide

WannaCry ransomware attack The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitc ...

References

External links

*
Equation Group: Questions and Answers
' by

Kaspersky Lab Kaspersky Lab (; Russian language, Russian: Лаборатория Касперского, Romanization of Russian, tr. ''Laboratoriya Kasperskogo'') is a Russian Multinational corporation, multinational cybersecurity and anti-virus provider head ...

, Version: 1.5, February 2015
A Fanny Equation: "I am your father, Stuxnet"
by

, February 2015
fanny.bmp source - at GitHub
November 30, 2020
Technical Write-up - at GitHub
February 10, 2021 {{Hacking in the 2010s Cyberwarfare in the United States National Security Agency operations Rootkits American advanced persistent threat groups Cybercrime in India Cyberwarfare in Iran