Equation Group: Difference between revisions
Content deleted Content added
m Reverted 1 edit by 50.25.170.7 identified as test/vandalism using STiki |
rejig |
||
| Line 1: | Line 1: | ||
The '''Equation Group''' is a secretive highly advanced computer espionage group identified by its discoverers at [[Kaspersky Labs]] as one of the most advanced—if not the most advanced—in the world.<ref name="Kaspersky1"/>{{rp|31}} The name ''Equation Group'' was chosen because of the group's predilection for strong encryption methods in their operations. |
|||
| ⚫ | |||
| ⚫ | Kaspersky documented 500 [[malware]] infections by the group's tools in at least 42 countries over many years.<ref>{{cite news |title=How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last |work=[[Ars Technica]] |url=http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ |first=Dan |last=Goodin |date=February 16, 2015 |accessdate=November 24, 2015}}</ref><ref>{{cite web|url=http://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html |title=Destroying your hard drive is the only way to stop this super-advanced malware |first=Jeremy |last=Kirk |date=17 February 2015 |work=[[PCWorld]] |accessdate=November 24, 2015}}</ref> |
||
| ⚫ | In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "Grayfish", had similarities to a previously discovered loader "Gauss" from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in [[Stuxnet]]; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together".<ref name="Kaspersky1">{{cite web |url=https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf |title=Equation Group: Questions and Answers (Version: 1.5) |date=February 2015 |work=[[Kaspersky Lab]] |accessdate=November 24, 2015}}</ref>{{rp|13}} |
||
They are suspected of being tied to the [[United States]] [[National Security Agency]] (NSA)<ref>{{cite journal |title=Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal' |journal=[[Forbes]] |first=Thomas |last=Fox-Brewster |url=http://www.forbes.com/sites/thomasbrewster/2015/02/16/nsa-equation-cyber-tool-treasure-chest/ |date=February 16, 2015 |accessdate=November 24, 2015}}</ref><ref>{{cite news |title=Russian researchers expose breakthrough U.S. spying program |work=[[Reuters]] |url=http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216 |date=February 17, 2015 |first=Joseph |last=Menn |accessdate=November 24, 2015 }}</ref> |
|||
==Summary== |
|||
==Discovery== |
|||
At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors.<ref name="kaspersky">{{Cite web |title=Equation Group: The Crown Creator of Cyber-Espionage |work=Kaspersky Lab |url=http://www.kaspersky.com/about/news/virus/2015/Equation-Group-The-Crown-Creator-of-Cyber-Espionage |date=February 16, 2015 |accessdate=November 24, 2015}}</ref> The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming [[hard disk drive]] [[firmware]].<ref name="malware-galaxy">{{cite web |title=Equation: The Death Star of Malware Galaxy |work=Kaspersky Lab |url=https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ |date=February 16, 2015 |accessdate=November 24, 2015}}</ref> Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group. |
At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors.<ref name="kaspersky">{{Cite web |title=Equation Group: The Crown Creator of Cyber-Espionage |work=Kaspersky Lab |url=http://www.kaspersky.com/about/news/virus/2015/Equation-Group-The-Crown-Creator-of-Cyber-Espionage |date=February 16, 2015 |accessdate=November 24, 2015}}</ref> The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming [[hard disk drive]] [[firmware]].<ref name="malware-galaxy">{{cite web |title=Equation: The Death Star of Malware Galaxy |work=Kaspersky Lab |url=https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ |date=February 16, 2015 |accessdate=November 24, 2015}}</ref> Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group. |
||
==Links to NSA and Stuxnet== |
|||
| ⚫ | The NSA codewords "BACKSNARF", "Grok", "STRAITACID," and "STRAITSHOOTER" have all been found inside the malware. In addition, timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 workday in an Eastern United States timezone.<ref>{{cite web |url=http://arstechnica.com/security/2015/03/new-smoking-gun-further-ties-nsa-to-omnipotent-equation-group-hackers/ |title=New smoking gun further ties NSA to omnipotent "Equation Group" hackers |first=Dan |last=Goodin |date=March 11, 2015 |work=Ars Technica |accessdate=November 24, 2015}}</ref> |
||
| ⚫ | In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "Grayfish", had similarities to a previously discovered loader "Gauss" from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in [[Stuxnet]]; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together".<ref name="Kaspersky1">{{cite web |url=https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf |title=Equation Group: Questions and Answers (Version: 1.5) |date=February 2015 |work=[[Kaspersky Lab]] |accessdate=November 24, 2015}}</ref>{{rp|13}} |
||
===Firmware=== |
|||
==IRATEMONK and Equation Group== |
|||
They also identified that the platform had at times been spread by [[interdiction]] (interception of legitimate CDs sent by a scientific conference organizer by [[mail]]),<ref name="Kaspersky1" />{{rp|15}} and that the platform had the "unprecedented" ability to infect and be transmitted through the [[hard drive]] [[firmware]] of several of the major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat demanding access to the manufacturer's [[source code]] of each to achieve,<ref name="Kaspersky1" />{{rp|16–18}} and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on [[discussion forum]]s.<ref name="Kaspersky1"/>{{rp|23–26}} |
|||
| ⚫ | |||
| ⚫ | |||
===Codewords and timestamps=== |
|||
The text of IRATEMONK's listing in the NSA ANT catalog:<ref name="IRATEMONK"/> |
|||
| ⚫ | The NSA codewords "BACKSNARF", "Grok", "STRAITACID," and "STRAITSHOOTER" have all been found inside the malware. In addition, timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 workday in an Eastern United States timezone.<ref>{{cite web |url=http://arstechnica.com/security/2015/03/new-smoking-gun-further-ties-nsa-to-omnipotent-equation-group-hackers/ |title=New smoking gun further ties NSA to omnipotent "Equation Group" hackers |first=Dan |last=Goodin |date=March 11, 2015 |work=Ars Technica |accessdate=November 24, 2015}}</ref> |
||
<blockquote>(TS//SI//REL) IRATEMONK provides software application persistence on desktop and laptop computers by implanting in the hard drive firmware to gain execution through Master Boot Record (MBR) substitution. |
|||
=== The LNK exploit === |
|||
(TS//SI//REL) This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives. The supported file systems are: FAT, NTFS, EXT3 and UFS. |
|||
| ⚫ | Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet's "privLib" in 2008.<ref>{{cite web |url=https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/|title=A Fanny Equation: "I am your father, Stuxnet" |work=Kaspersky Lab |date=February 17, 2015 |accessdate=November 24, 2015}}</ref> Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain [[Microsoft Windows|Windows operating systems]] and attempts to spread laterally via network connection or [[Universal Serial Bus|USB storage]]. Kaspersky stated that they suspect that because of the recorded compile time of Fanny that the Equation Group has been around longer than Stuxnet.<ref name="malware-galaxy"/> |
||
===Link to IRATEMONK=== |
|||
(TS//SI//REL) Through remote access or interdiction, UNITEDRAKE, or STRAITBAZZARE are used with SLICKERVICAR to upload the hard drive firmware onto the target machine to implant IRATEMONK and its payload (the implant installer). Once implanted, IRATEMONK's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on. |
|||
| ⚫ | |||
[[F-Secure]] claims that the Equation Group's malicious hard drive [[firmware]] is TAO program "IRATEMONK";<ref name="FSecure">{{cite web|url=https://www.f-secure.com/weblog/archives/00002791.html |title=The Equation Group Equals NSA / IRATEMONK |work=[[F-Secure]] Weblog : News from the Lab |date=February 17, 2015 |accessdate=November 24, 2015}}</ref> one of the items from the [[NSA ANT catalog]] exposed in a 2013 ''Der Spiegel'' article. |
|||
| ⚫ | IRATEMONK provides the attacker with an ability to have their [[Application software|software application]] persistently installed on desktop and laptop computers, despite the disk being [[Disk formatting|formatted]], its [[Data erasure|data erased]] or the operating system re-installed. It infects the hard drive firmware, which in turn adds instructions to the disk's [[master boot record]] that causes the software to install each time the computer is [[Booting|booted up]].<ref name="IRATEMONK"/> It is capable of infecting certain hard drives from [[Seagate Technology|Seagate]], [[Maxtor]], [[Western Digital]], [[Samsung]],<ref name="IRATEMONK">{{cite web |url=https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html |first=Bruce |last=Schneier |title=IRATEMONK: NSA Exploit of the Day |work=Schneier on Security |date=January 31, 2014 |accessdate=November 24, 2015}}</ref> [[IBM]], [[Micron]] and [[Toshiba]].<ref name="malware-galaxy" /> |
||
Status: Released / Deployed. Ready for Immediate Delivery |
|||
Unit Cost: $0</blockquote> |
|||
== Fanny.bmp == |
|||
| ⚫ | Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet's "privLib" in 2008.<ref>{{cite web |url=https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/|title=A Fanny Equation: "I am your father, Stuxnet" |work=Kaspersky Lab |date=February 17, 2015 |accessdate=November 24, 2015}}</ref> Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain [[Microsoft Windows|Windows operating systems]] and attempts to spread laterally via network connection or [[Universal Serial Bus|USB storage]]. Kaspersky stated that they suspect that because of the recorded compile time of Fanny that the Equation Group has been around longer than Stuxnet.<ref name="malware-galaxy"/> |
||
== See also == |
== See also == |
||
Revision as of 09:52, 12 July 2016
The Equation Group is a secretive highly advanced computer espionage group identified by its discoverers at Kaspersky Labs as one of the most advanced—if not the most advanced—in the world.[1]: 31 The name Equation Group was chosen because of the group's predilection for strong encryption methods in their operations.
Kaspersky documented 500 malware infections by the group's tools in at least 42 countries over many years.[2][3]
They are suspected of being tied to the United States National Security Agency (NSA)[4][5]
Discovery
At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors.[6] The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming hard disk drive firmware.[7] Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group.
Links to NSA and Stuxnet
In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "Grayfish", had similarities to a previously discovered loader "Gauss" from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in Stuxnet; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together".[1]: 13
Firmware
They also identified that the platform had at times been spread by interdiction (interception of legitimate CDs sent by a scientific conference organizer by mail),[1]: 15 and that the platform had the "unprecedented" ability to infect and be transmitted through the hard drive firmware of several of the major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat demanding access to the manufacturer's source code of each to achieve,[1]: 16–18 and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on discussion forums.[1]: 23–26
Codewords and timestamps
The NSA codewords "BACKSNARF", "Grok", "STRAITACID," and "STRAITSHOOTER" have all been found inside the malware. In addition, timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 workday in an Eastern United States timezone.[8]
The LNK exploit
Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet's "privLib" in 2008.[9] Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain Windows operating systems and attempts to spread laterally via network connection or USB storage. Kaspersky stated that they suspect that because of the recorded compile time of Fanny that the Equation Group has been around longer than Stuxnet.[7]
Link to IRATEMONK
F-Secure claims that the Equation Group's malicious hard drive firmware is TAO program "IRATEMONK";[10] one of the items from the NSA ANT catalog exposed in a 2013 Der Spiegel article.
IRATEMONK provides the attacker with an ability to have their software application persistently installed on desktop and laptop computers, despite the disk being formatted, its data erased or the operating system re-installed. It infects the hard drive firmware, which in turn adds instructions to the disk's master boot record that causes the software to install each time the computer is booted up.[11] It is capable of infecting certain hard drives from Seagate, Maxtor, Western Digital, Samsung,[11] IBM, Micron and Toshiba.[7]
See also
- Global surveillance disclosures (2013–present)
- United States intelligence operations abroad
- NSA's Hard Drive Firmware Hack
References
- ^ a b c d e "Equation Group: Questions and Answers (Version: 1.5)" (PDF). Kaspersky Lab. February 2015. Retrieved November 24, 2015.
- ^ Goodin, Dan (February 16, 2015). "How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last". Ars Technica. Retrieved November 24, 2015.
- ^ Kirk, Jeremy (17 February 2015). "Destroying your hard drive is the only way to stop this super-advanced malware". PCWorld. Retrieved November 24, 2015.
- ^ Fox-Brewster, Thomas (February 16, 2015). "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes. Retrieved November 24, 2015.
- ^ Menn, Joseph (February 17, 2015). "Russian researchers expose breakthrough U.S. spying program". Reuters. Retrieved November 24, 2015.
- ^ "Equation Group: The Crown Creator of Cyber-Espionage". Kaspersky Lab. February 16, 2015. Retrieved November 24, 2015.
- ^ a b c "Equation: The Death Star of Malware Galaxy". Kaspersky Lab. February 16, 2015. Retrieved November 24, 2015.
- ^ Goodin, Dan (March 11, 2015). "New smoking gun further ties NSA to omnipotent "Equation Group" hackers". Ars Technica. Retrieved November 24, 2015.
- ^ "A Fanny Equation: "I am your father, Stuxnet"". Kaspersky Lab. February 17, 2015. Retrieved November 24, 2015.
- ^ "The Equation Group Equals NSA / IRATEMONK". F-Secure Weblog : News from the Lab. February 17, 2015. Retrieved November 24, 2015.
- ^ a b Schneier, Bruce (January 31, 2014). "IRATEMONK: NSA Exploit of the Day". Schneier on Security. Retrieved November 24, 2015.
External links
Wikimedia Commons has media related to Equation Group.
- Equation Group: Questions and Answers by Kaspersky Lab, Version: 1.5, February 2015
- A Fanny Equation: "I am your father, Stuxnet" by Kaspersky Lab, February 2015