Equation group ‘one of the most sophisticated cyberattack groups in the world’

17 Feb 2015

The similarities between a mysterious cyber espionage group’s tools and techniques and those of the NSA are giving rise to questions as to whether US intelligence placed spyware on hardware outside the US.

In a report Russian security software maker Kaspersky Labs outlined the tools and techniques used by the Equation Group, but stopped short of linking them to the NSA or the US government’s Cyber Command.

The Equation Group appear to have a penchant for encryptiuon and the exploits and malware are strikingly similar to NSA techniques described in documents leaked by Edward Snowden.

Kaspersky said the Equation Group has been active since 1996 and uses a specific implementation of the RC5 encryption algorithm through their malware.

It says it has identified several malware platforms used by the group, including a worm that uses the same zero-day vulnerabilities found in Stuxnet. Stuxnet disabled 1,000 centrifuges in Iran’s nuclear programme and was part of a programme code-named Olympic Games run jointly by the US and Israel.

Countries hit by Equation include Iran, Russia, Pakistan, Afghanistan, India and China and targets included telecoms companies, embassies, research institutions and Islamic scholars.

As well as web-based exploits the Equation Group infected victims using physical media like CD-ROMs, USB sticks and hard drives.

One novel way of attacking victims included giving CD-ROMs to delegates at a scientific conference in Houston, Texas.

Another way of attacking institutions or suspects was by intercepting computers that were about to leave the US and replace them with a “trojanised” version.

The implants would bury themselves deep inside computer systems and are understood to be beyond the reach of most anti-virus software.

This enabled intelligence agencies to grab encryption keys off machines without being noticed.

Links between US intelligence and Stuxnet payload

According to Kaspersky victims of the Equation group were observed in more than 30 countries around the world.

It is understood that the infections come with a self-destruct mechanism and that there were tends of thousands of infections by the malware.

“It is quite possible that the Equation group malware was used to deliver the Stuxnet payload,” Kaspersky said.

While the principle target of these attacks was Windows machines, Kaspersky believes that Mac OS X versions of some of the malware were in the wild.

“The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen,” Kaspersky said.

Hacker image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years