Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Profile

 [metaslider id=2951] … Read More

  • Home
  • Profile
    • Contact Us
    • Security News
    • White Papers
  • Services
    • Compliance Regulations
      • PCI DSS Suite of Products
      • HIPAA/Hitech
      • SOX – Sarbanes Oxley
      • DCID 6/3/NISPOM Chapter 8/JAFAN DoD
      • NERC/FERC
    • Industry Consulting and Implementation
      • Banking and Financial
      • Energy/Utilities
      • Healthcare
      • Retail/Hospitality
    • Security Assessment
  • Security Solutions
    • Sophos
    • Endpoint Security Solutions
      • Bitdefender Business Solutions
      • Sophos Endpoint Protection
    • Forensic Solution – Threat Hunter
    • Network Access Control
      • NetShield
        • NetShield
    • NGFW – UTM – Perimeter Security
      • Sophos Network Protection
    • Security Awareness Training
      • KnowBe4 – Security Awareness Training
      • Sophos Phish Threat
  • White Papers
    • Sophos Webinar Series
  • Security News
    • Blog
    • Sophos Webinar Series
  • Free Security Tools

Kaspersky Lab Unveils ‘Equation’: the Grand Daddy of APT Groups

2015/02/18 by admin

Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine

Kaspersky Lab has uncovered what appears to be one of the most sophisticated cyber-attack groups in history – in operation for at least 14 years and which even had access to some of the exploits used in the Stuxnet and Flame campaigns.

The Equation Group had related C&C servers registered as far back as 1996 and has been infecting potentially tens of thousands of victims globally since 2001 in areas ranging from government to telecoms, nuclear energy, nanotechnology, Islamic activists, and encryption companies.

Iran, Russia, Pakistan, Afghanistan, India , China and Syria top the list of victim countries.

The group is so-called “because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations,” Kaspersky Lab said in a lengthy Q&A document.

 

It is said to have a vast C&C infrastructure of over 300 domains and more than 100 servers spread across multiple countries. Kaspersky Lab said it is sink-holing two dozen of these servers.

This highly sophisticated and well resourced group is said to have used a wide variety of bespoke trojans, or ‘implants’ as it calls them.

These include ‘Fanny’ – a computer worm created in 2008 to gather info on targets in the Middle East and Asia.

The vendor explained further in a blog post:

“Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet. To spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which was also used in one of the early versions of Stuxnet from 2009.

It’s important to point out that these two exploits were used in Fanny before they were integrated into Stuxnet, indicating that the Equation group had access to these zero-days before the Stuxnet group. The main purpose of Fanny was the mapping of air-gapped networks. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.”

Although Kaspersky Lab falls short of attribution, this tie-in to Stuxnet and Flame, as well as the group’s use of virtual file systems similar to those found in Regin, and many other links, make the United States National Security Agency a prime suspect.

The group’s most powerful tool is said to be a module known as ‘nls_933w.dll’ which enables it to reprogram the firmware in hard drives made by over 12 different big name brands including IBM, Maxtor, Western Digital, Toshiba and Seagate.

“This is an astonishing technical accomplishment and is testament to the group’s abilities,” said Kaspersky Lab.

For the record, the Russian security vendor claimed it first discovered evidence of the Equation Group when investigating Regin. A victim machine in the Middle East was apparently also infected with one of the group’s malware platforms, EQUATIONDRUG.

Brian Honan, special advisor to Europol’s Cybercrime Centre, argued that aside from “conversation fodder,” the news of Equation Group’s discovery will not have a major impact on day-to-day operations for most organizations.

“From a CISO perspective the key take-away is that defense should not focus just on prevention but also on detection and response,” he told Infosecurity.

“Organizations need to develop their capabilities in detecting unusual or suspicious behaviour on their systems and networks and have the ability to respond appropriately.”

 

Filed Under: Advanced Persistent Threat, antivirus, compliance, endpoint, industry, Kaspersky, Products, Security News

Let us help answer any questions you may have

requestmoreinformation.fw

Security News and Updates

  • Was my information part of a breach?
  • Phishing and stolen credentials
  • Ransomware is the Biggest Threat for Small to Medium Businesses

RSS SecurityWeek

  • US Charges 20-Year-Old Head of Hacker Site BreachForums
  • Tesla Hacked Twice at Pwn2Own Exploit Contest
  • CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections

Contact

  • Contact Us

Request More Info

  • Request Quote

Site Map

  • Site Map

© Copyright 2016 Symtrex Inc. ; All Rights Reserved · Privacy Statement