If you’ve been following the news lately, you’ve probably caught a glimpse into the shadowy world of Kaspersky’s newest investigation, which followed the movements and actions of the clandestine hacking collective known only as “The Equation Group.”
The group earned its name through its use of complex cryptographic algorithms to compromise targets. Operating in the shadows for over the decade, The Group’s existence only recently came to light in Kaspersky’s in-depth profile.
What the Group achieved during its lengthy tenure (and indeed, the organization may still exist) has exceeded anyone’s expectation of what was possible. By reverse engineering the firmware of drives from Seagate, Western Digital, and Toshiba, the Group discovered how to hide malware in drives with an extremely low risk of detection, and maintain an infection even if a drive was re-formatted.
There’s more to this story than the Group’s now infamous hacking ability, though. The organization’s likely connection to the NSA has dramatic implications for global cyber-security, and discredits the arguments used by those in favor of surveillance on a massive scale.
The most impressive malware, ever
The world woke up one morning in June of 2010 to discover the United States and Israel had been cooperating on a new form of malware, labeled Stuxnet. Targeted at Iranian uranium enrichment facilities, it upset the country’s centrifuges so discreetly that the country’s engineers didn’t realize there was a problem until it was too late.
While nation-state attacks weren’t unheard of, this was the first time a nation was caught actively harassing outside countries with a state-sponsored virus that could cause real, physical damage. It was widely speculated that the methods used were invented by the attacker that deployed Stuxnet, but it turns out the Group was behind it all along.
During its year-long dive into the activities of the Equation Group, Kaspersky discovered that the same zero-days utilized by the Group were later translated into the development of Stuxnet and Flame. Further, those exploits were only the tip of the iceberg.
“One of the modules utilized by the Equation Group (Fanny) used two zero-day exploits, which were later uncovered during the discovery of Stuxnet,” Soumenkov explained. ”In order to spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which from 2009 was also used in one of the early versions of Stuxnet.”
This means that at some level, members of the Group and the NSA, which deployed Stuxnet, were in contact. And it seems the NSA was outranked, at least in technical ability.
“A similar type of use of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together.”
The Equation Group does not engage in indiscriminate attacks, but is instead a master of precise hacking.
While the Group’s malware is incredibly powerful, it wasn’t wielded indiscriminately, which further suggests a national power was in control. All software invented by the Group is incredibly selective of its targets, infecting only a few thousand machines globally and carefully monitoring each and every connection. The Group does not engage in spam attacks, but is instead a master of precise hacking.
But, despite our insistence that Kaspersky fill in a definitive link between the actions of Equation Group and the programs leaked by Edward Snowden from the NSA, Soumenkov was staunch in denying a direct link. While it appears the Equation Group and the NSA work together (likely, the former is a part of the latter), Kaspersky has no way to be certain of their affiliation.
“We do not make any attribution to the origins of the malware. We are not able to confirm the conclusions that journalists came up with,” Igor told us. “We worked on the technical analysis of the group’s malware, and we don’t have hard proof to attribute the Equation Group or speak of its origin.”
Snowden says what?
Though Igor was unwilling to name the rouge government agency as a culprit, outside research has divulged details that could potentially link the two agents in a more definitive fashion.
Namely, the several programs found in the Snowden documents (STRAITACID and STRAITSHOOTER) happen to bear a striking resemblance to a codename unearthed in the Group investigation, called STRAITBIZARRE .
STRAITBIZARRE, as those who follow the Snowden revelations might remember, was a key element in many of the programs and infection distribution webs that the NSA used to maintain their command and control networks. The software, developed by Digital Network Technologies, was a highly modular form of code that could be adapted for everything from delivering payloads onto iPhones to constructing encrypted channels for passing data between various branches of the surveillance division.
All three programs maintain similar goals in their implementation (intrusion and communication between infected machines), and even share many of the same core tenants of infrastructure that makes them work in the first place. That said, Igor was reticent to be the one who named names.
In the case of the Equation Group, it’s believed that STRAITBIZARRE was utilized to get the hard drive monitoring executable onto the hard drives of prospective targets, and once a successful drop was made, STRAITACID and STRAITSHOOTER handled all the communication between the corrupted drive and the Group’s home base.
Precision was possible after all
So why are journalists and analysts so eager to make the link between the Group and the NSA? Because, if true, it shows the NSA has opted to use mass surveillance to spy on every call and Internet search in the country simply because they could, not necessarily because they needed to. The actions of the Equation Group proves these blanket collection efforts didn’t need to be so broad, as there was already at least one specialized team dedicated to distributing digital smart-bombs with laser-like precision. The existence of the Equation Group shows that the NSA had other alternatives all along, and they actively chose to spy on everyone instead.
The NSA has insisited it had to use a sledgehammer to catch the bad guys, when in reality a scalpel could’ve done the job just as well.
See, if you’re like me, much, if not all of what we’ve learned about the NSA over the course of the past two years has been enough to make your blood boil. First, they came for our phone records, then our emails. Next it was our texts, but somehow, even that wasn’t enough. They needed our search history, our Snapchats, anything we ever decided to do on the Internet was theirs for the taking, no matter how much money it cost to get there or how many technology companies they needed to compromise in the process.
The NSA has spent years in the wake of the leaks championing why it had to use a sledgehammer to catch the bad guys, when in reality a scalpel could have done the job just as well.
Should you be worried?
If there’s one thing we learned during our time with Somenkov which brings a slight sense of relief, it’s that Kaspersky is confident that because the malware is so complex, it’s unlikely the code will be used by others with ease. In all the research that Kaspersky collected over the past 12 months, its scientists concluded the threat of this malware spiraling out of control is close to zero.
And, in case you’re concerned that the Equation Group might have your machine in the crosshairs, you can use antivirus solutions provided by Kaspersky to detect the infection. “Kaspersky Lab products detect all known modules used by the Equation Group,” Igor said in closing.
Overall, while the Group’s achievements are impressive, we can’t act as though we’re surprised. Yes, the United States spies on people. We knew that already. And yes, maybe they haven’t gone about it in the most ethical manner. But it’s good to know that teams like the Equation Group are out there. They build the highly targeted malware we need, and prove a catch-all approach isn’t necessary.
The Group isn’t the problem. On the contrary, it’s the solution. The problem is the NSA’s refusal to rely on its precision and instead insist that blanket surveillance is necessary. Nations will always spy on each other, but spying on citizens is a greater sin, and one now known to be avoidable.