Russian Intelligence affiliated Kaspersky Labs reports on the NSA’s Equation Group

Kaspersky Labs has a 44 page report on the hackers called the Equation Group. The Equation group are most likely hackers working for the NSA

Wired reported that the founder of Kaspersky had KGB-sponsored training and served as a Soviet intelligence officer. He was allied with Vladimir Putin’s regime and has deep and ongoing relationship with Russia’s Federal Security Service, or FSB.

Kaspersky Lab is an international software security group operating in almost 200 countries and territories worldwide. The company is headquartered in Moscow, Russia, with its holding company registered in the United Kingdom. Kaspersky Lab currently employs over 2,850 qualified specialists. It has 31 representative territory offices in 30 countries and its products and technologies provide service for over 300 million users and over 250,000 corporate clients worldwide. The company is specially focused on large enterprises, and small and medium-sized businesses.

Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.

“It seems to me Equation Group are the ones with the coolest toys,” Costin Raiu, director of Kaspersky Lab’s global research and analysis team, told Ars. “Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.”

The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.

Kasperky calls then the Equation group because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations. In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and AES too, in addition to other cryptographic functions and hashes.

One technique in particular caught our attention and reminded us of another complex malware, Gauss. The GrayFish loader uses SHA-256 one thousand times over the unique NTFS object ID of the victim’s Windows folder to decrypt the next stage from the registry. This uniquely ties the infection to the specific machine, and means the payload cannot be decrypted without knowing the NTFS object ID

What is the most sophisticated thing about the EQUATION group?

Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group’s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware. We were able to recover two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms. The EQUATIONDRUG HDD firmware reprogramming module has version 3.0.1 while the GRAYFISH reprogramming module has version 4.2.0. These were compiled in 2010 and 2013, respectively, if we are to trust the PE timestamps

Combining statistics from KSN and our sinkhole, we counted more than 500 victims worldwide. A lot of infections have been observed on servers, often domain controllers, data warehouses, website hosting and other types of servers. At the same time, the infections have a self-destruct mechanism, so we can assume there were probably tens of thousands of infections around the world throughout the history of the Equation group’s operations. As an interesting note, some of the “patients zero” of Stuxnet seem to have been infected by the EQUATION group. It is quite possible that the EQUATION group malware was used to deliver the STUXNET payload.

The Equation group uses a vast C and C infrastructure that includes more than 300 domains and more than 100 servers. The servers are hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.

The identified several malware platforms used exclusively by the Equation group. They are:
• EQUATIONDRUG – A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.

• DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.


• TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.

• GRAYFISH – The most sophisticated attack platform from the EQUATION group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.

• FANNY – A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.

• EQUATIONLASER – An early implant from the EQUATION group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG

SOURCES – Kaspersky Labs, Wikipedia, Wired, Ars Technica