Skip to main content

The Equation Group’s scalpel proves the sledgehammer is unneeded

decrypt this the equation groups scalpel proves sledgehammer is unneeded shutterstock 134428790
Image Credit: Zentilia/Shutterstock
If you’ve been following the news lately, you’ve probably caught a glimpse into the shadowy world of Kaspersky’s newest investigation, which followed the movements and actions of the clandestine hacking collective known only as “The Equation Group.”

The group earned its name through its use of complex cryptographic algorithms to compromise targets. Operating in the shadows for over the decade, The Group’s existence only recently came to light in Kaspersky’s in-depth profile.

What the Group achieved during its lengthy tenure (and indeed, the organization may still exist) has exceeded anyone’s expectation of what was possible. By reverse engineering the firmware of drives from Seagate, Western Digital, and Toshiba, the Group discovered how to hide malware in drives with an extremely low risk of detection, and maintain an infection even if a drive was re-formatted.

There’s more to this story than the Group’s now infamous hacking ability, though. The organization’s likely connection to the NSA has dramatic implications for global cyber-security, and discredits the arguments used by those in favor of surveillance on a massive scale.

The most impressive malware, ever

The world woke up one morning in June of 2010 to discover the United States and Israel had been cooperating on a new form of malware, labeled Stuxnet. Targeted at Iranian uranium enrichment facilities, it upset the country’s centrifuges so discreetly that the country’s engineers didn’t realize there was a problem until it was too late.

Related: How Stuxnet crippled Iran’s nuclear dreams

While nation-state attacks weren’t unheard of, this was the first time a nation was caught actively harassing outside countries with a state-sponsored virus that could cause real, physical damage. It was widely speculated that the methods used were invented by the attacker that deployed Stuxnet, but it turns out the Group was behind it all along.

During its year-long dive into the activities of the Equation Group, Kaspersky discovered that the same zero-days utilized by the Group were later translated into the development of Stuxnet and Flame. Further, those exploits were only the tip of the iceberg.

“One of the modules utilized by the Equation Group (Fanny) used two zero-day exploits, which were later uncovered during the discovery of Stuxnet,” Soumenkov explained. ”In order to spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which from 2009 was also used in one of the early versions of Stuxnet.”

This means that at some level, members of the Group and the NSA, which deployed Stuxnet, were in contact. And it seems the NSA was outranked, at least in technical ability.

“A similar type of use of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together.”

The Equation Group does not engage in indiscriminate attacks, but is instead a master of precise hacking.

While the Group’s malware is incredibly powerful, it wasn’t wielded indiscriminately, which further suggests a national power was in control. All software invented by the Group is incredibly selective of its targets, infecting only a few thousand machines globally and carefully monitoring each and every connection. The Group does not engage in spam attacks, but is instead a master of precise hacking.

Related: How the NSA can hide malware on your hard drive

But, despite our insistence that Kaspersky fill in a definitive link between the actions of Equation Group and the programs leaked by Edward Snowden from the NSA, Soumenkov was staunch in denying a direct link. While it appears the Equation Group and the NSA work together (likely, the former is a part of the latter), Kaspersky has no way to be certain of their affiliation.

“We do not make any attribution to the origins of the malware. We are not able to confirm the conclusions that journalists came up with,” Igor told us. “We worked on the technical analysis of the group’s malware, and we don’t have hard proof to attribute the Equation Group or speak of its origin.”

Snowden says what?

Though Igor was unwilling to name the rouge government agency as a culprit, outside research has divulged details that could potentially link the two agents in a more definitive fashion.

Namely, the several programs found in the Snowden documents (STRAITACID and STRAITSHOOTER) happen to bear a striking resemblance to a codename unearthed in the Group investigation, called STRAITBIZARRE .

STRAITBIZARRE, as those who follow the Snowden revelations might remember, was a key element in many of the programs and infection distribution webs that the NSA used to maintain their command and control networks. The software, developed by Digital Network Technologies, was a highly modular form of code that could be adapted for everything from delivering payloads onto iPhones to constructing encrypted channels for passing data between various branches of the surveillance division.

All three programs maintain similar goals in their implementation (intrusion and communication between infected machines), and even share many of the same core tenants of infrastructure that makes them work in the first place. That said, Igor was reticent to be the one who named names.

In the case of the Equation Group, it’s believed that STRAITBIZARRE was utilized to get the hard drive monitoring executable onto the hard drives of prospective targets, and once a successful drop was made, STRAITACID and STRAITSHOOTER handled all the communication between the corrupted drive and the Group’s home base.

Precision was possible after all

So why are journalists and analysts so eager to make the link between the Group and the NSA? Because, if true, it shows the NSA has opted to use mass surveillance to spy on every call and Internet search in the country simply because they could, not necessarily because they needed to. The actions of the Equation Group proves these blanket collection efforts didn’t need to be so broad, as there was already at least one specialized team dedicated to distributing digital smart-bombs with laser-like precision. The existence of the Equation Group shows that the NSA had other alternatives all along, and they actively chose to spy on everyone instead.

Related: Snowden warns to avoid Facebook, Google if you value privacy

The NSA has insisited it had to use a sledgehammer to catch the bad guys, when in reality a scalpel could’ve done the job just as well.

See, if you’re like me, much, if not all of what we’ve learned about the NSA over the course of the past two years has been enough to make your blood boil. First, they came for our phone records, then our emails. Next it was our texts, but somehow, even that wasn’t enough. They needed our search history, our Snapchats, anything we ever decided to do on the Internet was theirs for the taking, no matter how much money it cost to get there or how many technology companies they needed to compromise in the process.

The NSA has spent years in the wake of the leaks championing why it had to use a sledgehammer to catch the bad guys, when in reality a scalpel could have done the job just as well.

Should you be worried?

If there’s one thing we learned during our time with Somenkov which brings a slight sense of relief, it’s that Kaspersky is confident that because the malware is so complex, it’s unlikely the code will be used by others with ease. In all the research that Kaspersky collected over the past 12 months, its scientists concluded the threat of this malware spiraling out of control is close to zero.

And, in case you’re concerned that the Equation Group might have your machine in the crosshairs, you can use antivirus solutions provided by Kaspersky to detect the infection. “Kaspersky Lab products detect all known modules used by the Equation Group,” Igor said in closing.

Overall, while the Group’s achievements are impressive, we can’t act as though we’re surprised. Yes, the United States spies on people. We knew that already. And yes, maybe they haven’t gone about it in the most ethical manner. But it’s good to know that teams like the Equation Group are out there. They build the highly targeted malware we need, and prove a catch-all approach isn’t necessary.

The Group isn’t the problem. On the contrary, it’s the solution. The problem is the NSA’s refusal to rely on its precision and instead insist that blanket surveillance is necessary. Nations will always spy on each other, but spying on citizens is a greater sin, and one now known to be avoidable.

Chris Stobing
Former Digital Trends Contributor
Self-proclaimed geek and nerd extraordinaire, Chris Stobing is a writer and blogger from the heart of Silicon Valley. Raised…
Microsoft’s Copilot Vision arrives to surf the web with select users
The Copilot logo

Microsoft's new Copilot Vision feature that can “see what you see, and hear what you hear” while you navigate the internet is finally being made available, though only to a limited number of Copilot Pro subscribers in the U.S.

"Starting today, we are introducing an experience where – with your permission – Copilot can now understand the full context of what you’re doing online," according to a Microsoft blog post. "When you choose to enable Copilot Vision, it sees the page you're on, it reads along with you, and you can talk through the problem you're facing together."

Read more
This HP Envy 2-in-1 is $300 off and has a gorgeous 16-inch 2K screen
The HP Envy x360 2-in-1 laptop on a white background.

Best Buy continues to offer some fantastic laptop deals with a huge $300 off the HP Envy 2-in-1 16-inch 2K Touchscreen laptop. It normally costs $900 but right now, you can buy it for just $600 which is a fantastic price for a laptop with such a good screen. It’d make the perfect gift for someone but also it’s simply a good laptop for all your working needs. Here’s a quick overview of what it has to offer.

Why you should buy the HP Envy 2-in-1 laptop
HP is one of the best laptop brands around and it has a particular penchant for making some of the best 2-in-1 laptops. With this HP Envy 2-in-1 laptop, you get some great hardware. It has an Intel Core Ultra 5 CPU, 16GB of RAM, and 512GB of SSD storage. For this price, you can’t really go wrong with these specs.

Read more
Black Friday’s best PC hardware deal is still live, and you’re sleeping on it
The Ryzen 5 7600X sitting among thermal paste and RAM.

I'm not mad, just disappointed. A couple of weeks ago, I covered the insane deal that essentially allowed you to score a Ryzen 5 7600X -- still one of the best processors you can buy -- for just $105. At the time, I thought, surely, this will sell out in a matter of hours. Who would pass up on a deal this good? And yet, two weeks later to the day, the craziest deal I've seen during all of Black Friday and Cyber Monday is still live on Newegg.

Let me break down the deal again. You can get the Ryzen 5 7600X for $225, which is not a good price. However, you can get an additional $30 off by using promo code DLCDZ342, bringing the price down to $195. The kicker is that you also get a free Team Group MP44L 1TB PCIe 4.0 SSD. That's a $90 hard drive that Newegg is just throwing in with a CPU that's already available for a decent price. The fact that the deal is still live suggests either Newegg has a ton of inventory, or not enough people know about this sale.

Read more