Kaspersky Lab Unveils ‘Equation’: the Grand Daddy of APT Groups

Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine

Kaspersky Lab has uncovered what appears to be one of the most sophisticated cyber-attack groups in history – in operation for at least 14 years and which even had access to some of the exploits used in the Stuxnet and Flame campaigns.

The Equation Group had related C&C servers registered as far back as 1996 and has been infecting potentially tens of thousands of victims globally since 2001 in areas ranging from government to telecoms, nuclear energy, nanotechnology, Islamic activists, and encryption companies.

Iran, Russia, Pakistan, Afghanistan, India , China and Syria top the list of victim countries.

The group is so-called “because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations,” Kaspersky Lab said in a lengthy Q&A document.

It is said to have a vast C&C infrastructure of over 300 domains and more than 100 servers spread across multiple countries. Kaspersky Lab said it is sink-holing two dozen of these servers.

This highly sophisticated and well resourced group is said to have used a wide variety of bespoke trojans, or ‘implants’ as it calls them.

These include ‘Fanny’ – a computer worm created in 2008 to gather info on targets in the Middle East and Asia.

The vendor explained further in a blog post:

“Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet. To spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which was also used in one of the early versions of Stuxnet from 2009.

It’s important to point out that these two exploits were used in Fanny before they were integrated into Stuxnet, indicating that the Equation group had access to these zero-days before the Stuxnet group. The main purpose of Fanny was the mapping of air-gapped networks. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.”

Although Kaspersky Lab falls short of attribution, this tie-in to Stuxnet and Flame, as well as the group’s use of virtual file systems similar to those found in Regin, and many other links, make the United States National Security Agency a prime suspect.

The group’s most powerful tool is said to be a module known as ‘nls_933w.dll’ which enables it to reprogram the firmware in hard drives made by over 12 different big name brands including IBM, Maxtor, Western Digital, Toshiba and Seagate.

“This is an astonishing technical accomplishment and is testament to the group’s abilities,” said Kaspersky Lab.

For the record, the Russian security vendor claimed it first discovered evidence of the Equation Group when investigating Regin. A victim machine in the Middle East was apparently also infected with one of the group’s malware platforms, EQUATIONDRUG.

Brian Honan, special advisor to Europol’s Cybercrime Centre, argued that aside from “conversation fodder,” the news of Equation Group’s discovery will not have a major impact on day-to-day operations for most organizations.

“From a CISO perspective the key take-away is that defense should not focus just on prevention but also on detection and response,” he told Infosecurity.

“Organizations need to develop their capabilities in detecting unusual or suspicious behaviour on their systems and networks and have the ability to respond appropriately.”