Equation Group

Equation Group
TypeAdvanced persistent threat
Location
ProductsStuxnet, Flame, EternalBlue
Parent organization

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA).[1][2][3] Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame.[4][5] Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.[5]

The name originated from the group's extensive use of encryption. By 2015, Kaspersky documented 500 malware infections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of thousands due to its self-terminating protocol.[5][6]

In 2017, WikiLeaks published a discussion held within the CIA on how it had been possible to identify the group.[7] One commenter wrote that "the Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools" used for hacking.[8]

Discovery

At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors.[9] The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming hard disk drive firmware.[4] Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group.

In 2015 Kaspersky's research findings on the Equation Group noted that its loader, "GrayFish", had similarities to a previously discovered loader, "Gauss",[repository] from another attack series, and separately noted that the Equation Group used two zero-day attacks later used in Stuxnet; the researchers concluded that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together".[10]: 13 

Firmware

They also identified that the platform had at times been spread by interdiction (interception of legitimate CDs sent by a scientific conference organizer by mail),[10]: 15  and that the platform had the "unprecedented" ability to infect and be transmitted through the hard drive firmware of several major hard drive manufacturers, and create and use hidden disk areas and virtual disk systems for its purposes, a feat which would require access to the manufacturer's source code to achieve,[10]: 16–18  and that the tool was designed for surgical precision, going so far as to exclude specific countries by IP and allow targeting of specific usernames on discussion forums.[10]: 23–26 

Codewords and timestamps

The NSA codewords "STRAITACID" and "STRAITSHOOTER" have been found inside the malware. In addition, timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 (8:00 AM - 5:00 PM) workday in an Eastern United States time zone.[11]

The LNK exploit

Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of malware that contained Stuxnet's "privLib" in 2008.[12] Specifically it contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that affects certain Windows operating systems and attempts to spread laterally via network connection or USB storage.[repository] Kaspersky stated that they suspect that the Equation Group has been around longer than Stuxnet, based on the recorded compile time of Fanny.[4]

The NSA's listing of its Tailored Access Operations program named IRATEMONK from the NSA ANT catalog.

F-Secure claims that the Equation Group's malicious hard drive firmware is TAO program "IRATEMONK",[13] one of the items from the NSA ANT catalog exposed in a 2013 Der Spiegel article. IRATEMONK provides the attacker with an ability to have their software application persistently installed on desktop and laptop computers, despite the disk being formatted, its data erased or the operating system re-installed. It infects the hard drive firmware, which in turn adds instructions to the disk's master boot record that causes the software to install each time the computer is booted up.[14] It is capable of infecting certain hard drives from Seagate, Maxtor, Western Digital, Samsung,[14] IBM, Micron Technology and Toshiba.[4]

2016 breach of the Equation Group

In August 2016, a hacking group calling itself "The Shadow Brokers" announced that it had stolen malware code from the Equation Group.[15] Kaspersky Lab noticed similarities between the stolen code and earlier known code from the Equation Group malware samples it had in its possession including quirks unique to the Equation Group's way of implementing the RC6 encryption algorithm, and therefore concluded that this announcement is legitimate.[16] The most recent dates of the stolen files are from June 2013, thus prompting Edward Snowden to speculate that a likely lockdown resulting from his leak of the NSA's global and domestic surveillance efforts stopped The Shadow Brokers' breach of the Equation Group. Exploits against Cisco Adaptive Security Appliances and Fortinet's firewalls were featured in some malware samples released by The Shadow Brokers.[17] EXTRABACON, a Simple Network Management Protocol exploit against Cisco's ASA software, was a zero-day exploit as of the time of the announcement.[17] Juniper also confirmed that its NetScreen firewalls were affected.[18] The EternalBlue exploit was used to conduct the damaging worldwide WannaCry ransomware attack.

See also

References

  1. ^ Fox-Brewster, Thomas (February 16, 2015). "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes. Retrieved November 24, 2015.
  2. ^ Menn, Joseph (February 17, 2015). "Russian researchers expose breakthrough U.S. spying program". Reuters. Retrieved November 24, 2015.
  3. ^ "The nsa was hacked snowden documents confirm". The Intercept. 19 August 2016. Retrieved 19 August 2016.
  4. ^ a b c d GReAT (February 16, 2015). "Equation: The Death Star of Malware Galaxy". Securelist.com. Kaspersky Lab. Retrieved August 16, 2016. SecureList, Costin Raiu (director of Kaspersky Lab's global research and analysis team): "It seems to me Equation Group are the ones with the coolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."
  5. ^ a b c Goodin, Dan (February 16, 2015). "How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last". Ars Technica. Retrieved November 24, 2015.
  6. ^ Kirk, Jeremy (17 February 2015). "Destroying your hard drive is the only way to stop this super-advanced malware". PCWorld. Retrieved November 24, 2015.
  7. ^ Goodin, Dan (7 March 2017). "After NSA hacking exposé, CIA staffers asked where Equation Group went wrong". Ars Technica. Retrieved 21 March 2017.
  8. ^ "What did Equation do wrong, and how can we avoid doing the same?". Vault 7. WikiLeaks. Retrieved 21 March 2017.
  9. ^ "Equation Group: The Crown Creator of Cyber-Espionage". Kaspersky Lab. February 16, 2015. Retrieved November 24, 2015.
  10. ^ a b c d "Equation Group: Questions and Answers (Version: 1.5)" (PDF). Kaspersky Lab. February 2015. Archived from the original (PDF) on February 17, 2015. Retrieved November 24, 2015.
  11. ^ Goodin, Dan (March 11, 2015). "New smoking gun further ties NSA to omnipotent "Equation Group" hackers". Ars Technica. Retrieved November 24, 2015.
  12. ^ "A Fanny Equation: "I am your father, Stuxnet"". Kaspersky Lab. February 17, 2015. Retrieved November 24, 2015.
  13. ^ "The Equation Group Equals NSA / IRATEMONK". F-Secure Weblog : News from the Lab. February 17, 2015. Retrieved November 24, 2015.
  14. ^ a b Schneier, Bruce (January 31, 2014). "IRATEMONK: NSA Exploit of the Day". Schneier on Security. Retrieved November 24, 2015.
  15. ^ Goodin, Dan (August 15, 2016). "Group claims to hack NSA-tied hackers, posts exploits as proof". Ars Technica. Retrieved August 19, 2016.
  16. ^ Goodin, Dan (August 16, 2016). "Confirmed: hacking tool leak came from "omnipotent" NSA-tied group". Ars Technica. Retrieved August 19, 2016.
  17. ^ a b Thomson, Iain (August 17, 2016). "Cisco confirms two of the Shadow Brokers' 'NSA' vulns are real". The Register. Retrieved August 19, 2016.
  18. ^ Pauli, Darren (August 24, 2016). "Equation Group exploit hits newer Cisco ASA, Juniper Netscreen". The Register. Retrieved August 30, 2016.
Wikimedia Commons has media related to Equation Group.

Read other articles:

The Woggle-Bug (musical)

1905 musical This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: The Woggle-Bug musical – news · newspapers · books · scholar · JSTOR (October 2021) (Learn how and when to remove this template message) The Woggle-BugThe Fantastic Fairy ExtravaganzaOriginal 1905 sheet musicMusicFrederic ChapinLyricsL. Frank ...

 

 

List of Bombardier recreational and snow vehicles

List of Bombardier recreational and snow vehicles and products. These vehicles and craft were made by Bombardier or from 2003 Bombardier Recreational Products of Canada. In 2004 the industrial vehicles division was sold to the Camoplast company of Canada. Subsequently, Camoplast sold their Track Machines Division to Prinoth, which is part of the Leitner Group [1]. Outboard motors (now marketed under the Evinrude brand) Evinrude Outboard Motors purchased 2001 Johnson Outboards purchased 2001 ...

 

 

Julang sumba

Julang Sumba Status konservasi Rentan (IUCN 3.1)[1] Klasifikasi ilmiah Kerajaan: Animalia Filum: Chordata Kelas: Aves Ordo: Coraciiformes Famili: Bucerotidae Genus: Rhyticeros Spesies: Rhyticeros everetti Nama binomial Rhyticeros everettiRothschild, 1897 Julang Sumba atau dalam nama ilmiahnya Rhyticeros everetti adalah sejenis burung berukuran besar, dengan panjang lebih kurang 70 cm, dari suku Bucerotidae. Burung ini memiliki bulu berwarna hitam dan paruh berwarna kekuning...

Distrik Hidaka, Hokkaido

Lokasi Distrik Hidaka di Subprefektur Hidaka. Hidaka (日高郡code: ja is deprecated , Hidaka-gun) adalah sebuah distrik yang berada di wilayah Subprefektur Hidaka, Hokkaido, Jepang. Per 31 Januari 2024, distrik ini memiliki estimasi jumlah penduduk sebesar 20.560 jiwa dan kepadatan penduduk sebesar 17,92 orang per km2. Distrik ini memiliki luas wilayah sebesar 1.147,55 km2. Kota kecil dan desa Shinhidaka - penggabungan dari dua wilayah kotapraja, yaitu Mitsuishi (dari bekas wilayah Dis...

 

 

March of the One Hundred Thousand

Passeata dos Cem MilMarch of the One Hundred ThousandPart of resistance to the military dictatorship in BrazilDate26 June 1968LocationRio de JaneiroGoalsRedemocratization and the end of military ruleMethodsManifestations, protest and marches The March of the One Hundred Thousand (Portuguese: Passeata dos Cem Mil) was a manifestation of popular protest against the Military dictatorship in Brazil, which occurred on June 26, 1968, in Rio de Janeiro, organized by the student movement and with the...

 

 

Premio Marzotto

Premio MarzottoIntitolato aMarzotto Paese Italia Modifica dati su Wikidata · Manuale Premio Marzotto 1951 foto ufficiale con Enrico Accatino, Carlo Levi, Antonio Scordia, Felice Mariani, Ornella Angeloni, Achille Sdruscia Il premio Marzotto è stato un premio internazionale con sede a Valdagno, in provincia di Vicenza. Fu istituito nell'ottobre 1950[1] dall'omonimo gruppo tessile e la sua prima edizione si tenne nel settembre 1951[1], dando inizio a una serie di 18 ...

The Late Show with Stephen Colbert

The Late Show with Stephen ColbertGenreGelar wicara larut malamSatire berita/politikPembuatStephen ColbertPengembang Stephen Colbert Jay Katsir Opus Moreschi Ditulis olehJay KatsirOpus Moreschi(penulis utama)SutradaraJim HoskinsonPresenterStephen ColbertPemeranJon Batiste dan Stay Human (band tetap)NaratorJen SpyraPenggubah lagu tema Jon Batiste Lagu pembukaEveryone (Intro)HumanismLagu penutupI'm from KennerThe Art of the BumperNegara asalAmerika SerikatBahasa asliInggrisJmlh. musim4Jmlh. ep...

 

 

2020年夏季奧林匹克運動會柔道比賽

第三十二届夏季奥林匹克运动会柔道比賽比賽場館日本武道館日期2021年7月24日至31日項目數15参赛选手393(含未上场5人)位選手,來自128(含未上场4队)個國家和地區← 20162024 → 2020年夏季奥林匹克运动会柔道比赛个人男子女子60公斤级48公斤级66公斤级52公斤级73公斤级57公斤级81公斤级63公斤级90公斤级70公斤级100公斤级78公斤级100公斤以上级78公斤以上级团体混...

 

 

St Cuthbert's Church, Durham

Church in Durham, United KingdomSt Cuthbert's Church, DurhamSt Cuthbert's Church, DurhamLocation in Durham54°46′29″N 1°34′11″W / 54.7746°N 1.5696°W / 54.7746; -1.5696LocationDurhamCountryUnited KingdomDenominationRoman CatholicWebsiteStCuthberts-Durham.org.ukHistoryStatusActiveFounded1827 (1827)DedicationSt CuthbertConsecrated20 July 1910ArchitectureFunctional statusParish churchHeritage designationGrade II listed[1]Designated10 March 1988[...

2016年美國總統選舉

2016年美國總統選舉 ← 2012 2016年11月8日 2020 → 538個選舉人團席位獲勝需270票民意調查投票率55.7%[1][2] ▲ 0.8 %   获提名人 唐納·川普 希拉莉·克林頓 政党 共和黨 民主党 家鄉州 紐約州 紐約州 竞选搭档 迈克·彭斯 蒂姆·凱恩 选举人票 304[3][4][註 1] 227[5] 胜出州/省 30 + 緬-2 20 + DC 民選得票 62,984,828[6] 65,853,514[6]...

 

 

Camel's Hump

Mountain in Vermont, US For the peak named Camels Hump in Australia, see Mount Macedon. For the hump of a camel, see Camel § Hump. Camel's HumpCamel's Hump, July 2006Highest pointElevation4,083 ft (1,244 m)[1]Prominence1,860 ft (570 m)[2]ListingNew England 4,000-footersNew England Fifty Finest #46Coordinates44°19′11″N 72°53′10″W / 44.31972°N 72.88611°W / 44.31972; -72.88611[3]GeographyCamel's HumpVermon...

 

 

فقد الشم

فقد الشم معلومات عامة الاختصاص طب الجهاز العصبي،  وطب الأنف والأذن والحنجرة  من أنواع اضطراب الشم  [لغات أخرى]‏،  وفقد الحس  التاريخ وصفها المصدر الموسوعة السوفيتية الكبرى  [لغات أخرى]‏،  وقاموس بروكهاوس وإفرون الموسوعي  تعديل مصدري - تعديل ...

Kiyoshi Shiga

Japanese physician (1871–1957) Kiyoshi ShigaKiyoshi Shiga in 1924BornKiyoshi Satō(1871-02-07)February 7, 1871Sendai, Miyagi, JapanDiedJanuary 25, 1957(1957-01-25) (aged 85)Sendai, JapanNationalityJapaneseAlma materTokyo Imperial UniversityOccupationMedical ResearcherKnown forDiscovery of Shigella Kiyoshi Shiga (志賀 潔, Shiga Kiyoshi, February 7, 1871 – January 25, 1957) was a Japanese physician and bacteriologist. He had a well-rounded education and career that led to ...

 

 

Saint-Denis-du-Béhélan

Saint-Denis-du-BéhélancomuneSaint-Denis-du-Béhélan – Veduta LocalizzazioneStato Francia Regione Normandia Dipartimento Eure ArrondissementÉvreux CantoneBreteuil TerritorioCoordinate48°52′N 0°58′E48°52′N, 0°58′E (Saint-Denis-du-Béhélan) Superficie9,5 km² Abitanti170[1] (2009) Densità17,89 ab./km² Altre informazioniCod. postale27160 Fuso orarioUTC+1 Codice INSEE27532 CartografiaSaint-Denis-du-Béhélan Modifica dati su Wikidata · Manuale...

 

 

Chiesa di San Giuseppe (Milano)

San GiuseppeStato Italia RegioneLombardia LocalitàMilano IndirizzoVia Giuseppe Verdi Coordinate45°28′06.59″N 9°11′20.64″E45°28′06.59″N, 9°11′20.64″E Religionecattolica TitolareSan Giuseppe Arcidiocesi Milano Consacrazione1616 ArchitettoFrancesco Maria Richini Stile architettonicoBarocco lombardo Inizio costruzione1607 Completamento1630 Modifica dati su Wikidata · Manuale La chiesa di San Giuseppe è una chiesa di Milano situata a poca distanza da piazza della S...

Angelo Bagnasco

Angelo Bagnascocardinale di Santa Romana Chiesa Christus Spes mea  TitoloCardinale presbitero della Gran Madre di Dio (dal 2007) Incarichi attualiArcivescovo emerito di Genova (dal 2020) Incarichi ricoperti Vescovo di Pesaro (1998-2000) Arcivescovo metropolita di Pesaro (2000-2003) Arcivescovo ordinario militare per l'Italia (2003-2006) Arcivescovo metropolita di Genova (2006-2020) Presidente della Conferenza episcopale ligure (2006-2020) Presidente della Conferenza Episcopale Italiana (...

 

 

Mark Hatfield

Governor of Oregon and US senator (1922–2011) For the Georgia politician, see Mark Hatfield (Georgia politician). Mark HatfieldOfficial portrait, c. 1990sChair of the Senate Appropriations CommitteeIn officeJanuary 3, 1995 – January 3, 1997Preceded byRobert ByrdSucceeded byTed StevensIn officeJanuary 3, 1981 – January 3, 1987Preceded byWarren MagnusonSucceeded byJohn C. StennisUnited States Senatorfrom OregonIn officeJanuary 10, 1967 – January 3, 1997P...

 

 

P15 road (Ukraine)

Road in Ukraine Road P15Автошлях Р15Route informationLength149.4 km (92.8 mi)Major junctionsnorth end M 19 in Kovelsouth end M 09 in Zhovkva LocationCountryUkraineOblastsVolyn Highway system Roads in Ukraine State Highways ← P 14→ P 16 P15 is a regional road (P-Highway) in Volyn Oblast and Lviv Oblast Ukraine. It runs north-south and connects Kovel with Zhovkva.[1] Main route Main route and connections to/intersections with other highways in Ukrai...

Fourth Division 1976-1977

Fourth Division 1976-1977 Competizione Fourth Division Sport Calcio Edizione 19ª Organizzatore Football League Date dal 21 agosto 1976al 18 maggio 1977 Luogo  Inghilterra Galles Partecipanti 24 Formula girone all'italiana A/R Risultati Vincitore Cambridge United(1º titolo) Altre promozioni Bradford CityColchester UnitedExeter City Statistiche Miglior marcatore Brian Joicey (25) Incontri disputati 552 Gol segnati 1 423 (2,58 per incontro) Cronologia della co...

 

 

Latvian-Estonian Basketball League 2022-2023

Lega Lettone-Estone 2022-2023 Competizione Latvian-Estonian Basketball League Sport Pallacanestro Edizione 5ª Organizzatore FIBA Date 30 settembre 2022 - 8 aprile 2023 Partecipanti 16 Sito web https://www.estlatbl.com/en/ Risultati Vincitore  Prometej(1º titolo) Secondo  VEF Rīga Terzo  Tartu Ülikooli Quarto  Kalev/Cramo Statistiche Miglior giocatore Gian Clavell Miglior marcatore Matej Radunić (556) Cronologia della competizione 2021-2022 2023-2024 Manuale...