Say no to cyber attacks

MANILA, Philippines - For several years, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been closely monitoring more than 60 advanced threat actors responsible for cyber-attacks worldwide.

The team has seen nearly everything, with attacks becoming increasingly complex as more nation-states got involved and tried to arm themselves with the most advanced tools.

However, it is only now that Kaspersky Lab’s experts can confirm they have discovered a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades – The Equation Group.

According to Kaspersky Lab researchers the group is unique almost in every aspect of their activities: they use tools that are very complicated and expensive to develop, in order to infect victims, retrieve data and hide activity in an outstandingly professional way, and utilize classic spying techniques to deliver malicious payloads to the victims.

The victims of Equation group were observed in more than 30 countries, including countries from Southeast Asia like the Philippines, Malaysia and Singapore.

Other countries were Iran, Russia, Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, United States, Sudan, Lebanon, Palestine, France, Germany, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, United Kingdom, India and Brazil.

To infect their victims, the group uses a powerful arsenal of “implants” (Trojans) including the following that have been named by Kaspersky Lab: EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Without a doubt there will be other “implants” in existence.

What makes the equation group unique?

 GReAT has been able to recover two modules that allow reprogramming of the hard drive firmware of more than a dozen of the popular HDD brands. This is perhaps the most powerful tool in the Equation group’s arsenal and the first known malware capable of infecting the hard drives.

By reprogramming the hard drive firmware (i.e. rewriting the hard drive’s operating system), the group achieves an extreme level of persistence that helps to survive disk formatting and OS reinstallation; and the ability to create an invisible, persistent area hidden inside the hard drive.

The Fanny worm stands out from all the attacks performed by the Equation group. Its main purpose was to map air-gapped networks, in other words – to understand the topology of a network that cannot be reached, and to execute commands to those isolated systems. For this, it used a unique USB-based command and control mechanism, which allowed the attackers to pass data back and forth from air-gapped networks.

In particular, an infected USB stick with a hidden storage area was used to collect basic system information from a computer not connected to the Internet and to send it to the C&C when the USB stick was plugged into a computer infected by Fanny and having an Internet connection. If the attackers wanted to run commands on the air-gapped networks, they could save these commands in the hidden area of the USB stick. When the stick was plugged into the air-gapped computer, Fanny recognized the commands and executed them.

The attackers used universal methods to infect targets: not only through the web, but also in the physical world. For that they used an interdiction technique – intercepting physical goods and replacing them with Trojanized versions. One such example involved targeting participants at a scientific conference in Houston: Upon returning home, some of the participants received a copy of the conference materials on a CD-ROM which was then used to install the group’s DoubleFantasy implant into the target’s machine. The exact method by which these CDs were interdicted is unknown.

Infamous friends: Stuxnet and flame

There are solid links indicating that the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators – generally from a position of superiority. The Equation group had access to zero-days before they were used by Stuxnet and Flame, and at some point they shared exploits with others.

For example, in 2008 Fanny used two zero-days which were introduced into Stuxnet in June 2009 and March 2010. One of those zero-days in Stuxnet was actually a Flame module that exploits the same vulnerability and which was taken straight from the Flame platform and built into Stuxnet.

The Equation group uses a vast C&C infrastructure that includes more than 300 domains and more than 100 servers. The servers are hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic. Kaspersky Lab is currently sinkholing a couple dozen of the 300 C&C servers.

Since 2001, the Equation group has been busy infecting thousands, or perhaps even tens of thousands of victims in more than 30 countries worldwide, covering the following sectors: government and diplomatic institutions, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, mass media, transportation, financial institutions and companies developing encryption technologies.

Kaspersky Lab observed seven exploits used by the Equation group in their malware, and its products detected a number of attempts to attack its users. Many of these attacks were not successful due to Automatic Exploit Prevention technology, which generically detects and blocks exploitation of unknown vulnerabilities. The Fanny worm, presumably compiled in July 2008, was first detected and blacklisted by its automatic systems in December 2008.