Kaspersky Labs says it has been following a team of highly sophisticated hackers that the firm believes have deep ties with the operators of the Stuxnet and Flame attacks designed to wipe out Middle Eastern computers.
At the Kaspersky Labs Security Analyst Summit in Cancun, Mexico, the Moscow-based security firm revealed what it knows about the Equation Group, which is being monitored by Kaspersky's Global Research and Analysis Team (GReAT). Short of naming the National Security Agency (NSA) and the United States Cyber Command, Kaspersky's findings show the Equation Group is nothing more than the secret hacking arm of the U.S. government's intelligence gathering agencies.
Although Kaspersky says it has been following more than 60 "threat actors" for several years, it has only recently confirmed that the group of hackers surpasses the complexity and technical sophistication of all other groups it has followed. Named the Equation Group for its highly advanced encryption schemes, the group is said to have been in operation since 1996.
The Equation Group, says Kaspersky, is unique in several ways, including the group's access to very complicated tools that are expensive to develop and the hackers' ability to use "classic" spying techniques to deliver malware and retrieve data all while "outstandingly" evading detection. Some of the "implants" discovered by Kaspersky are EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and Grayfish, although Kaspersky says there are "without a doubt" more of these Trojans used by the group.
One of the group's standout tools is Fanny, a self-spreading worm that lurks in the hidden storage area of USB sticks and collects information about the computer into which an infected USB stick is plugged. Costin Raiu, director of GReAT at Kaspersky, says Fanny has been found "on thousands of USBs, and are still there." What is really striking about Fanny is its close resemblance to Stuxnet, a worm strongly believed to have been launched by a joint U.S. and Israel initiative to disable the uranium centrifuges of Iran's nuclear program.
Raiu says Stuxnet used two zero-day exploits, undisclosed security holes previously used in Fanny, indicating that the Equation Group had access to the exploits ahead of the group that deployed Stuxnet.
"Actually, the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together," claimed Raiu.
Perhaps the most powerful tool in the group's arsenal is a module called nls_933w.dll, which allows the hackers to rewrite the firmware of both traditional and SSD hard drives made by more than a dozen manufacturers, which make up essentially the entire hard drive market.
Part of recovering an infected computer involves reformatting the hard drive to wipe out the attack tool. However, the group embeds the malware into the hard drive's firmware, a coveted piece of computer real estate that allows the malware to survive even after the hard drive has been cleaned. Essentially, the only way to destroy the malware is to physically destroy the hard drive itself.
"If the malware gets into the firmware, it is able to resurrect itself forever," said Raiu. "It means that we are practically blind and cannot detect hard drives that have been infected with this malware."
Kaspersky says hard drives from the top-selling companies, including Seagate, Samsung, Toshiba, IBM, Western Digital, and Maxtor have been infected by the malware. Although this means the group can infiltrate virtually every computer in the world, Kaspersky says the group is limiting its attack on highly specific foreign targets, particularly high-ranking officials in government and military organizations, financial institutions, energy and nuclear companies, telecommunications groups, media outlets, and Islamic activists.
At least 30 countries have been found to be infected, with the biggest number of infiltrations found in Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.
Exactly how the group gains access to these companies' hard drives isn't clear. Reuters cites former intelligence operatives who say that the hackers, acting as the NSA, sometimes pose as developers to ask for the hard drives' source code. Additionally, if the companies are selling their products to a government agency, such as the Pentagon, the agency can check out the source code at the pretense of asking for a security audit.
"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said former NSA analyst Vincent Liu, now of the security firm Bishop Fox. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."
Another former NSA employee confirms Kaspersky's conclusion that the Equation Group, which Kaspersky says interacted with the Stuxnet group from a position of superiority, is the NSA itself. The source also says the agency continues to place high value upon its spy programs, including Stuxnet. Another source says the NSA has indeed developed a technique to infiltrate its targets' hard drives, although the person says he does not know in which programs the agency uses this technique.
Kaspersky's research adds more challenges to the surveillance efforts of the NSA, which is already under fire due to Edward Snowden's leaks. However, the agency neither confirmed nor denied the report.
"We are aware of the recently released report," said Vanee Vines, spokesperson of the NSA. "We are not going to comment publicly on any allegations that the report raises or discuss any details."
