2/16/2015 Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded | ZDNet

data:text/html;charset=utf-8,%3Cheader%20class%3D%22storyHeader%22%20style%3D%22display%3A%20block%3B%20margin%3A%200px%200px%2018 1/4

Follow @ZDNetCharlie

Beyond Stuxnet and Flame: Equation 'most advanced'cybercriminal gang recorded

Summary: Security experts say The Equation Group surpasses every other threat actor known in

complexity and sophistication.

By Charlie Osborne for Zero Day | February 16, 2015 -- 20:16 GMT (12:16 PST)

Kaspersky Labs

CANCUN, MEXICO: Kaspersky Labs has discovered the "ancestor" of Stuxnet and Flame, a threat actor

which surpasses everything else in complexity and technique sophistication.

On Monday at the Kaspersky Labs Security Analyst Summit, the firm unveiled research concerning the

existence of a cyberattack team dubbed The Equation Group. The group, which Kaspersky Lab Global

Research and Analysis Team (GReAT) members dub the "ancestor" of Stuxnet and Flame operators, has

been in operation dating back to 2001 and possibly as early as 1996.

The Equation Group uses multiple malware platforms, some of which go far beyond threats such as Regin

in complexity and sophistication.

"The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they

are the most advanced threat actor we have seen," the company says.

Comments 0

2/16/2015 Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded | ZDNet

data:text/html;charset=utf-8,%3Cheader%20class%3D%22storyHeader%22%20style%3D%22display%3A%20block%3B%20margin%3A%200px%200px%2018 2/4

After tracking over 60 threat actors responsible for cyberattacks across the globe, GReAT says that The

Equation Group, active over two decades, goes beyond anything else the security team has tracked and

witnessed.

According to Kaspersky Lab researchers, the group is unique in a number of ways: they use tools which

are extremely complicated and expensive to develop; are very professional in the ways they infect victims,

steal data and hide their activities, and they also use "classic" spying techniques to deliver malicious

payloads to victims.

In order to infect victims, the group uses a variety of trojans and tools. Within The Equation Group's toolkit,

you will also find at least two Stuxnet variants, Zero days and exploits which strike both Windows and Mac

machines and browsers.

Kaspersky detected seven exploits in total used by The Equation group in their malware, and at least four

were Zero days. In addition, there are a number of unknown exploits which are used in a chain to ensure

success in infecting a machine.

Speaking at the conference, Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky

Lab said he assumes the group also has iPhone exploits, "but we have no confirmation so far."

The company have named specialist tools used by the group EquationLaser, EquationDrug, DoubleFantasy,

TripleFantasy, Fanny and GrayFish, but the list is far from complete. However, each tool is sophisticated

and professionally used.

"These guys don't make mistakes. If they do, they do very, very rarely." Raiu said.

Two particular tools stand out from the crowd. Fanny -- named due to fanny.bmp file found on

compromised systems -- is a computer worm created in 2008 which targets victims in the Middle East and

Asia.

The worm, which infects USB hard drives, has been found "on thousands of USBs, and are still there,"

according to Raiu. The purpose of Fanny appears to be the mapping of air-gapped networks. In order to do

so, the malware uses a "unique" USB-based command and control mechanism -- carving out a hidden

2/16/2015 Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded | ZDNet

data:text/html;charset=utf-8,%3Cheader%20class%3D%22storyHeader%22%20style%3D%22display%3A%20block%3B%20margin%3A%200px%200px%2018 3/4

Read More

Read this

Bluster, bravado and breaches:

Today's 'terrorist' players in

cybersecurity

storage space on the USB to store stolen data and carry out commands.

If Fanny infects a computer which is not connected to the Web, it will collect system information and save it

in the hidden area. When the computer eventually connects to the Internet, the malware leaps into action

and sends this data to a command and control (C&C) center.

If the cyberattacker wants to run commands on the air-gapped networks, these commands can be saved

in the secret storage space and execute them.

The second prominent tool used by The Equation Group is a plugin, nls_933w.dll, which Kaspersky Lab

security expert Vitaly Kamluk described as the "ultimate cyberattack tool, unique and super advanced."

This plugin has the power to interact with a hard drive -- both traditional and SSD -- on a lower level.

Not only interact with -- but rewrite.

The infection, which Kamluk described as a "great headache even to detect," is able to reprogram a hard

drive's firmware. By performing a rewrite, the group not only achieves an extreme level of persistence and

the ability to survive disk reformatting, but the malware can also create a hidden storage area which is

nigh-on impossible to detect.

The team has spotted 12 vendors so far which are vulnerable,

including Seagate, Western Digital and Samsung.

Sadly, if you suspect you are infected, the team suggests you should

"destroy the hard drive," according to Kamluk. Why? Not only can the

malware survive a full operating system reinstall, but your stolen

data -- potentially hidden within a secret storage space -- will always

be at risk and may end up being sent to the group's C&C center.

The security team believes The Equation group is the "ancestor" of

other threat actors such as Stuxnet and Flame, as the group has

access to Zero days before they were used by Stuxnet and Flame. At

some point, The Equation group shared these exploits with others.

For example, in 2008 Fanny used two Zero days which were

introduced into Stuxnet in June 2009 and March 2010.

Raiu said:

"It's important to point out that these two exploits were used

in Fanny before they were integrated into Stuxnet, indicating

2/16/2015 Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded | ZDNet

data:text/html;charset=utf-8,%3Cheader%20class%3D%22storyHeader%22%20style%3D%22display%3A%20block%3B%20margin%3A%200px%200px%2018 4/4

the Equation group had access to these zero-days before the

Stuxnet group. Actually, the similar type of usage of both

exploits together in different computer worms, at around the

same time, indicates that the Equation group and the Stuxnet

developers are either the same or working closely together."

Using a C&C center, The Equation group comprises of over 300 domains and more than 100 servers

hosted in countries including the US, UK, Panama and Colombia.

Since 2001, the Equation group has infected thousands -- or perhaps tens of thousands -- with their

arsenal of bootkits and malware, according to Kaspersky. No-one is safe either: the team say that targets

from a vast range of sectors including government, military, telecommunications, energy, nanotechnology

and media have become victims.

Raiu estimates that up to 2,000 victims a month are being targeted. While this number in itself does not

seem like a big deal, when you consider who is being targeted and the variety of tools at their disposal,

the security expert says "it's getting pretty scary."

Disclaimer: Kaspersky Labs sponsored the trip to the Security Analyst Summit 2015.