Newly Discovered Master Cyber Espionage Group Trumps Stuxnet

The so-called Equation Group epitomizes the goal of persistence in cyber spying--reprogramming hard drives and hacking other targets such as air-gapped computers--and points to possible US connection.

KASPERSKY SECURITY ANALYST SUMMIT -- Cancun, Mexico -- Move over Stuxnet, Flame, and Regin: a newly uncovered cyber espionage operation that predates and rivals Stuxnet has been underway since at least 2001, armed with advanced tools and techniques that include hacking air-gapped computers and a first -- silently reprogramming victims hard drives, such that malware cant be detected or erased.
Researchers from Kaspersky Lab here, today, gave details of the so-called Equation Group, a hacking operation that they describe as the most sophisticated attack group they have seen thus far of the approximately 60 such groups they currently track. The Equation Group also has ties to Stuxnet and Flame, but outranks those attacks, having deployed in 2008 two of the zero-day exploits that were later used by Stuxnet. That suggests the Equation Group provided those exploits to the Stuxnet gang and is the masters over them, according to Kaspersky Lab.
The Equation Group has hit tens of thousands of highly targeted victims in more than 30 countries, with Iran, Russia, and Pakistan the most infected. Other nations with victims include Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, Sudan, the US, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, Philippines, United Kingdom, India, and Brazil. The targets are in government and diplomacy, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, mass media, transportation, financial institutions, cryptographic development, as well as Islamic activists and scholars based in the US and UK.
Kaspersky estimates that the attack group was infecting some 2,000 individuals per month. But whats most unnerving is that Equation Group has basically gone dark since 2014, indicating that theyve taken an even stealthier tack. All of their command-and-control servers were moved to the US in 2014, according to Raiu, who says his team has found about 300 of their servers worldwide. For sure they have registered some new servers in 2014, so they are still active. But we havent seen any new [malware] samples compiled … they are either now untraceable or randomly changing all of the timestamps, says Costin Raiu, head of Kasperskys global research and analysis team. The malware targets Windows systems.
But in operations, there was nothing new in 2014. Its super-scary, he says.
Despite the elephant-in-the-room question of whether the Equation Group is the US National Security Agency, Kaspersky researchers say they cant identify whos behind the campaign. Even so, a couple of months after Edward Snowden leaked the trove of NSA documents, the Equation Group replaced one of its malware variants with a more sophisticated one, called Grayfish. They shut down some old stuff and the new Grayfish came, Raiu says. I dont know if thats related or not.
The level of funding and sophistication required to craft the bevy of tools used by the Equation Group, plus English-language usage in the code, and other clues, such as the targeted (and non-targeted) regions, appear to point to a possible US connection. We have not found any exact match of these code names .. with [the information leaked by] Snowden, so we cannot tell you it matches an NSA profile, says Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab.
An NSA spokesperson declined to comment on the findings, according to multiple published media reports.
This malware is extremely sophisticated. Its way more complex than anything weve seen. Its most likely a nation-state because there doesnt seem to be any connection with cybercrime, he says.
Hard Drive Hacks
Among the hacking groups more unique and complex capabilities that Kaspersky has identified are two modules that can reprogram more than a dozen different hard drive brands, including big names like Maxtor, Seagate, Hitachi, and Toshiba, basically rewriting the hard drives operating system. This trick puts the p in APT (advanced persistent threat), by allowing the malware to go undetected by antivirus and to remain alive even if the drive is reformatted or the operating system gets reinstalled. The technique -- powered by the Grayfish malware module -- also could resist deletion of a specific disk sector, or provide the attackers with the ability to swap a sector with a malware-ridden one.
The attackers also could use the infected drive to store stolen information until they siphon it to their own systems.
This is what makes this group gods among APT actors. We have never seen anything close to this, Kamluk says. Knowing how to reprogram a hard drive would entail gathering intelligence from each vendor, which is no simple feat, he says. Then it would take a very skilled programmer many months or years to master this.
[This] shows us a level of sophistication that we havent seen before, or maybe a few times in the past with Flame and Stuxnet, for example, says Jaime Blasco, head of AlienVaults security research team. Whoever is behind this has access to a huge amount of financial and research resources, including access to sigint/humint capabilities that they clearly use in combination with the tools, he days.
Blasco says the module that infects the hard drive firmware is state of the art.
Then theres the module the Equation Group named Fanny that allows them into air-gapped computers, or systems that are not connected to a network. Kaspersky researchers first noticed this module after uncovering a case where a scientist attending a scientific and aerospace industry conference in Houston had been mailed a CD-ROM from the conference proceedings -- but it had obviously been intercepted and rigged with Fanny malware, ultimately infecting his hard drive.
Fanny also comes via USB sticks, where someone physically inserts them into the air-gapped machine to infect them. Kaspersky found a privilege escalation exploit that was used in Stuxnet being used by the Fanny worm.
The worm basically is aimed at gathering intelligence about the network topology of the air-gapped environment and to then send commands to those systems. The USB stick itself stores commands from the malware in a hidden area of the device.
Raiu says the Equation Group is likely the only such attack group at this high level. And Kaspersky Labs findings about them likely only scratches the surface of what they can do. We havent seen Mac or iPhone malware [from them], but we know it exists, for example, he says. Were sure theres some Linux malware, too … and probably a lot of other stuff we have not found yet.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Newly Discovered Master Cyber Espionage Group Trumps Stuxnet