2/16/2015

Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded | ZDNet

Beyond Stuxnet and Flame: Equation 'most advanced'

cybercriminal gang recorded
Summary: Security experts say The Equation Group surpasses every other threat actor known in
complexity and sophistication.
By C harlie Osborne for Zero Day | February 16, 2015 -- 20:16 GMT (12:16 PST)

Follow @ZDNetCharlie
Comments

Kaspersky Labs
CANCUN, MEXICO: Kaspersky Labs has discovered the "ancestor" of Stuxnet and Flame, a threat actor
which surpasses everything else in complexity and technique sophistication.
On Monday at the Kaspersky Labs Security Analyst Summit, the firm unveiled research concerning the
existence of a cyberattack team dubbed The Equation Group. The group, which Kaspersky Lab Global
Research and Analysis Team (GReAT) members dub the "ancestor" of Stuxnet and Flame operators, has
been in operation dating back to 2001 and possibly as early as 1996.
The Equation Group uses multiple malware platforms, some of which go far beyond threats such as Regin
in complexity and sophistication.
"The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they
are the most advanced threat actor we have seen," the company says.
data:text/html;charset=utf-8,%3Cheader%20class%3D%22storyHeader%22%20style%3D%22display%3A%20block%3B%20margin%3A%200px%200px%2018

1/4

2/16/2015

Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded | ZDNet

After tracking over 60 threat actors responsible for cyberattacks across the globe, GReAT says that The
Equation Group, active over two decades, goes beyond anything else the security team has tracked and
witnessed.
According to Kaspersky Lab researchers, the group is unique in a number of ways: they use tools which
are extremely complicated and expensive to develop; are very professional in the ways they infect victims,
steal data and hide their activities, and they also use "classic" spying techniques to deliver malicious
payloads to victims.
In order to infect victims, the group uses a variety of trojans and tools. Within The Equation Group's toolkit,
you will also find at least two Stuxnet variants, Zero days and exploits which strike both Windows and Mac
machines and browsers.
Kaspersky detected seven exploits in total used by The Equation group in their malware, and at least four
were Zero days. In addition, there are a number of unknown exploits which are used in a chain to ensure
success in infecting a machine.
Speaking at the conference, Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky
Lab said he assumes the group also has iPhone exploits, "but we have no confirmation so far."
The company have named specialist tools used by the group EquationLaser, EquationDrug, DoubleFantasy,
TripleFantasy, Fanny and GrayFish, but the list is far from complete. However, each tool is sophisticated
and professionally used.

"These guys don't make mistakes. If they do, they do very, very rarely." Raiu said.
Two particular tools stand out from the crowd. Fanny -- named due to fanny.bmp file found on
compromised systems -- is a computer worm created in 2008 which targets victims in the Middle East and
Asia.
The worm, which infects USB hard drives, has been found "on thousands of USBs, and are still there,"
according to Raiu. The purpose of Fanny appears to be the mapping of air-gapped networks. In order to do
so, the malware uses a "unique" USB-based command and control mechanism -- carving out a hidden
data:text/html;charset=utf-8,%3Cheader%20class%3D%22storyHeader%22%20style%3D%22display%3A%20block%3B%20margin%3A%200px%200px%2018

2/4

2/16/2015

Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded | ZDNet

storage space on the USB to store stolen data and carry out commands.
If Fanny infects a computer which is not connected to the Web, it will collect system information and save it
in the hidden area. When the computer eventually connects to the Internet, the malware leaps into action
and sends this data to a command and control (C&C) center.

If the cyberattacker wants to run commands on the air-gapped networks, these commands can be saved
in the secret storage space and execute them.
The second prominent tool used by The Equation Group is a plugin, nls_933w.dll, which Kaspersky Lab
security expert Vitaly Kamluk described as the "ultimate cyberattack tool, unique and super advanced."
This plugin has the power to interact with a hard drive -- both traditional and SSD -- on a lower level.
Not only interact with -- but rewrite.
The infection, which Kamluk described as a "great headache even to detect," is able to reprogram a hard
drive's firmware. By performing a rewrite, the group not only achieves an extreme level of persistence and
the ability to survive disk reformatting, but the malware can also create a hidden storage area which is
nigh-on impossible to detect.
The team has spotted 12 vendors so far which are vulnerable,
including Seagate, Western Digital and Samsung.

Read this

Sadly, if you suspect you are infected, the team suggests you should
"destroy the hard drive," according to Kamluk. Why? Not only can the
malware survive a full operating system reinstall, but your stolen
data -- potentially hidden within a secret storage space -- will always
be at risk and may end up being sent to the group's C&C center.
The security team believes The Equation group is the "ancestor" of
other threat actors such as Stuxnet and Flame, as the group has
access to Zero days before they were used by Stuxnet and Flame. At
some point, The Equation group shared these exploits with others.
For example, in 2008 Fanny used two Zero days which were
introduced into Stuxnet in June 2009 and March 2010.
Raiu said:

Bluster, bravado and breaches:

Today's 'terrorist' players in
cybersecurity
Read More

"It's important to point out that these two exploits were used
in Fanny before they were integrated into Stuxnet, indicating
data:text/html;charset=utf-8,%3Cheader%20class%3D%22storyHeader%22%20style%3D%22display%3A%20block%3B%20margin%3A%200px%200px%2018

3/4

2/16/2015

Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded | ZDNet

the Equation group had access to these zero-days before the

Stuxnet group. Actually, the similar type of usage of both
exploits together in different computer worms, at around the
same time, indicates that the Equation group and the Stuxnet
developers are either the same or working closely together."
Using a C&C center, The Equation group comprises of over 300 domains and more than 100 servers
hosted in countries including the US, UK, Panama and Colombia.
Since 2001, the Equation group has infected thousands -- or perhaps tens of thousands -- with their
arsenal of bootkits and malware, according to Kaspersky. No-one is safe either: the team say that targets
from a vast range of sectors including government, military, telecommunications, energy, nanotechnology
and media have become victims.
Raiu estimates that up to 2,000 victims a month are being targeted. While this number in itself does not
seem like a big deal, when you consider who is being targeted and the variety of tools at their disposal,
the security expert says "it's getting pretty scary."
Disclaimer: Kaspersky Labs sponsored the trip to the Security Analyst Summit 2015.

data:text/html;charset=utf-8,%3Cheader%20class%3D%22storyHeader%22%20style%3D%22display%3A%20block%3B%20margin%3A%200px%200px%2018

4/4