Threat Management

Researchers identify advanced espionage team, the ‘Equation’ group

Governments, militaries and financial institutions in more than 30 countries around the globe are among the targets of the “Equation” group – a gang that has been engaged in data retrieving operations since possibly 1996 and is referred to by Kaspersky Lab as the most advanced threat actor the research team has ever seen.

Kaspersky Lab has identified more than 500 victims worldwide, but assumes that tens of thousands have been affected due to the self-destructing nature of the infections, a report indicates, adding that the telecommunications, nuclear research, mass media, and oil and gas industries have also been targeted.

The highest infection rates are in Iran, Russia, Pakistan, Afghanistan, India, China, Syria and Mali, according to the report. The United Kingdom is considered to have a medium-level infection rate, and the United States is listed as having a low infection rate.

“A lot of infections have been observed on servers, often domain controllers, data warehouses, website hosting and other types of servers,” the report states.

Kaspersky Lab identified a variety of malware and attack tools being used exclusively by the Equation group, and often in tandem. These include an espionage platform that supports a module plugin system (EQUATIONDRUG) and a worm used to gather information on targets in the Middle East and Asia (Fanny).

The most impressive technique used by the Equation group is infecting hard drive firmware, meaning an infection will survive disk formatting and reinstalling the OS, Kaspersky Lab researchers noted.

“GRAYFISH is the most modern and sophisticated malware implant from the Equation group,” the report states. “It is designed to provide an effective (almost “invisible”) persistence mechanism, hidden storage and malicious command execution inside the Windows operating system.”

The Equation group was observed using a number of exploits with their malware – they targeted bugs in Java and Internet Explorer, among others – and at least four were used as zero-days, according to the report, which adds that Fanny used two zero-day exploits that were later associated with Stuxnet.

“Actually, the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the [Equation] group and the Stuxnet developers are either the same or working closely together,” the report states.

Various news agencies are reporting – often citing security experts – that the Equation group and the NSA are closely linked, if not one and the same. In a statement emailed to on Tuesday, Kaspersky Lab researchers said they could not confirm conclusions reported in the media.

“Kaspersky Lab experts worked on the technical analysis of the group's malware, and we don't have hard proof to attribute the Equation Group or speak of its origin,” the Kaspersky Lab researchers said. “With threat actor groups as skilled as the Equation team, mistakes are rare, and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups.”

Kaspersky Lab noted in the report that the Equation group used a technique known as interdiction – replacing intercepted goods with trojanized versions – to infect their targets. The researchers cited a specific instance at a conference in Houston where participants were presented with conference materials on a CD-ROM. The CD-ROM was used to deliver the group's malware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.