Skip to main content

The Equation Group’s scalpel proves the sledgehammer is unneeded

decrypt this the equation groups scalpel proves sledgehammer is unneeded shutterstock 134428790
Image Credit: Zentilia/Shutterstock
If you’ve been following the news lately, you’ve probably caught a glimpse into the shadowy world of Kaspersky’s newest investigation, which followed the movements and actions of the clandestine hacking collective known only as “The Equation Group.”

The group earned its name through its use of complex cryptographic algorithms to compromise targets. Operating in the shadows for over the decade, The Group’s existence only recently came to light in Kaspersky’s in-depth profile.

What the Group achieved during its lengthy tenure (and indeed, the organization may still exist) has exceeded anyone’s expectation of what was possible. By reverse engineering the firmware of drives from Seagate, Western Digital, and Toshiba, the Group discovered how to hide malware in drives with an extremely low risk of detection, and maintain an infection even if a drive was re-formatted.

There’s more to this story than the Group’s now infamous hacking ability, though. The organization’s likely connection to the NSA has dramatic implications for global cyber-security, and discredits the arguments used by those in favor of surveillance on a massive scale.

The most impressive malware, ever

The world woke up one morning in June of 2010 to discover the United States and Israel had been cooperating on a new form of malware, labeled Stuxnet. Targeted at Iranian uranium enrichment facilities, it upset the country’s centrifuges so discreetly that the country’s engineers didn’t realize there was a problem until it was too late.

Related: How Stuxnet crippled Iran’s nuclear dreams

While nation-state attacks weren’t unheard of, this was the first time a nation was caught actively harassing outside countries with a state-sponsored virus that could cause real, physical damage. It was widely speculated that the methods used were invented by the attacker that deployed Stuxnet, but it turns out the Group was behind it all along.

During its year-long dive into the activities of the Equation Group, Kaspersky discovered that the same zero-days utilized by the Group were later translated into the development of Stuxnet and Flame. Further, those exploits were only the tip of the iceberg.

“One of the modules utilized by the Equation Group (Fanny) used two zero-day exploits, which were later uncovered during the discovery of Stuxnet,” Soumenkov explained. ”In order to spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which from 2009 was also used in one of the early versions of Stuxnet.”

This means that at some level, members of the Group and the NSA, which deployed Stuxnet, were in contact. And it seems the NSA was outranked, at least in technical ability.

“A similar type of use of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together.”

The Equation Group does not engage in indiscriminate attacks, but is instead a master of precise hacking.

While the Group’s malware is incredibly powerful, it wasn’t wielded indiscriminately, which further suggests a national power was in control. All software invented by the Group is incredibly selective of its targets, infecting only a few thousand machines globally and carefully monitoring each and every connection. The Group does not engage in spam attacks, but is instead a master of precise hacking.

Related: How the NSA can hide malware on your hard drive

But, despite our insistence that Kaspersky fill in a definitive link between the actions of Equation Group and the programs leaked by Edward Snowden from the NSA, Soumenkov was staunch in denying a direct link. While it appears the Equation Group and the NSA work together (likely, the former is a part of the latter), Kaspersky has no way to be certain of their affiliation.

“We do not make any attribution to the origins of the malware. We are not able to confirm the conclusions that journalists came up with,” Igor told us. “We worked on the technical analysis of the group’s malware, and we don’t have hard proof to attribute the Equation Group or speak of its origin.”

Snowden says what?

Though Igor was unwilling to name the rouge government agency as a culprit, outside research has divulged details that could potentially link the two agents in a more definitive fashion.

Namely, the several programs found in the Snowden documents (STRAITACID and STRAITSHOOTER) happen to bear a striking resemblance to a codename unearthed in the Group investigation, called STRAITBIZARRE .

STRAITBIZARRE, as those who follow the Snowden revelations might remember, was a key element in many of the programs and infection distribution webs that the NSA used to maintain their command and control networks. The software, developed by Digital Network Technologies, was a highly modular form of code that could be adapted for everything from delivering payloads onto iPhones to constructing encrypted channels for passing data between various branches of the surveillance division.

All three programs maintain similar goals in their implementation (intrusion and communication between infected machines), and even share many of the same core tenants of infrastructure that makes them work in the first place. That said, Igor was reticent to be the one who named names.

In the case of the Equation Group, it’s believed that STRAITBIZARRE was utilized to get the hard drive monitoring executable onto the hard drives of prospective targets, and once a successful drop was made, STRAITACID and STRAITSHOOTER handled all the communication between the corrupted drive and the Group’s home base.

Precision was possible after all

So why are journalists and analysts so eager to make the link between the Group and the NSA? Because, if true, it shows the NSA has opted to use mass surveillance to spy on every call and Internet search in the country simply because they could, not necessarily because they needed to. The actions of the Equation Group proves these blanket collection efforts didn’t need to be so broad, as there was already at least one specialized team dedicated to distributing digital smart-bombs with laser-like precision. The existence of the Equation Group shows that the NSA had other alternatives all along, and they actively chose to spy on everyone instead.

Related: Snowden warns to avoid Facebook, Google if you value privacy

The NSA has insisited it had to use a sledgehammer to catch the bad guys, when in reality a scalpel could’ve done the job just as well.

See, if you’re like me, much, if not all of what we’ve learned about the NSA over the course of the past two years has been enough to make your blood boil. First, they came for our phone records, then our emails. Next it was our texts, but somehow, even that wasn’t enough. They needed our search history, our Snapchats, anything we ever decided to do on the Internet was theirs for the taking, no matter how much money it cost to get there or how many technology companies they needed to compromise in the process.

The NSA has spent years in the wake of the leaks championing why it had to use a sledgehammer to catch the bad guys, when in reality a scalpel could have done the job just as well.

Should you be worried?

If there’s one thing we learned during our time with Somenkov which brings a slight sense of relief, it’s that Kaspersky is confident that because the malware is so complex, it’s unlikely the code will be used by others with ease. In all the research that Kaspersky collected over the past 12 months, its scientists concluded the threat of this malware spiraling out of control is close to zero.

And, in case you’re concerned that the Equation Group might have your machine in the crosshairs, you can use antivirus solutions provided by Kaspersky to detect the infection. “Kaspersky Lab products detect all known modules used by the Equation Group,” Igor said in closing.

Overall, while the Group’s achievements are impressive, we can’t act as though we’re surprised. Yes, the United States spies on people. We knew that already. And yes, maybe they haven’t gone about it in the most ethical manner. But it’s good to know that teams like the Equation Group are out there. They build the highly targeted malware we need, and prove a catch-all approach isn’t necessary.

The Group isn’t the problem. On the contrary, it’s the solution. The problem is the NSA’s refusal to rely on its precision and instead insist that blanket surveillance is necessary. Nations will always spy on each other, but spying on citizens is a greater sin, and one now known to be avoidable.

Chris Stobing
Former Digital Trends Contributor
Self-proclaimed geek and nerd extraordinaire, Chris Stobing is a writer and blogger from the heart of Silicon Valley. Raised…
Best Mac Mini deals: Save over $100 on an Apple desktop
Apple Mac Mini 2018

The Apple Mac Mini is a unique desktop computing option, as it comes in a small form factor that won’t take up much space on a desk. It’s also part of Apple’s new Apple Silicon lineup, which means newer models will pack quite a punch when it comes to performance. Apple’s popularity usually keeps its products from seeing substantial discounts, but we’ve found some out there. A couple could be considered some of the best Apple deals you’ll come across today. If you’re simply looking for a deal on a Mac, consider some iMac deals or MacBook deals, but if you’re sold on some savings for a pint-sized PC that fits within the Apple software ecosystem, read onward for the best Mac Mini deals worth shopping today.
Apple education pricing for new Macs and iPad -- multiple price points

Whether you're a newly accepted college student, returning student, faculty, staff, or homeschooling teacher, of any grade level, Apple offers its education pricing program for discounted hardware rates. That means you can grab an Apple Mac Mini for great prices that won't empty your wallet or bank account before the school year. A bevy of devices are included, not just the Mac Mini, such as MacBook Air, MacBook Pro, displays, and beyond.

Read more
Microsoft just discovered the next big evolution in displays
Resident Evil 4 running on the LG UltraGear 45 gaming monitor.

Microsoft is working on a new patent that aims to bring unprecedented levels of control to displays. The new tech, dubbed Pixel Luminesce for Digital Display, allows you to micromanage every single pixel of your display, adjusting the brightness as needed. If and when this makes it out of the development stage, it could end up being huge for all sorts of use cases, and could bring major improvements to some of the best gaming monitors.

The patent application describing the tech, first shared by Windows Report, describes the new technology as something that would enable selective dimming. With Microsoft's new tech, you could decide that one part of the display stays brighter while the rest of it remains unaffected, and this would happen dynamically.

Read more
These are the 10 best gaming PCs I’d recommend to anyone
Graphics card in the CLX Hathor PC.

We review dozens of gaming PCs each year. In 2024, there are a ton of great options, but we've narrowed down a list of the 10 best gaming desktops that deserve your hard-earned money.

In 2024, we still recommend the Alienware Aurora R16 due to its fantastic design, solid performance, and decent value. However, there are several other options depending on your needs and budget. If you want a deeper look into how we evaluate gaming PCs, make sure to read our post on how we review desktops.

Read more