equation group
February 26, 2015

Part III: Solving the mystery of shadow hacking organization The Equation Group

Wade Sims for redOrbit.com - Your Universe Online

In case you missed them: Part I and Part II of this series.

“Never send a human to do a machine’s job.” – Agent Smith, The Matrix

How does one detect an undetectable hacking group, though?

Somewhere along the way, a human screws up. Kaspersky uncovered Equation Group in March 2014 when researching the Regin malware the NSA purportedly used to infect Belgacom and other targets. During this investigation, researchers discovered a machine they dubbed “The Magnet of Threats,” as it was infected with highly advanced malware packages including Regin, Turla, ItaDuke, Animal Farm, and Careto/Mask. One malware program on this computer didn’t match up with any of the known APTs, which researchers eventually identified as the EquationDrug platform.

The platform tipped off Kaspersky to new exploits and infections. Security researchers spent months analyzing antivirus reports, searching for statistical and correlative similarities that eventually led to the discovery of other Equation Group malware platforms. From the platforms discovered, the researchers were able to determine domain names used to host command channels for delivering instructions and receiving data from Equation Group malware.

Of the roughly 300 domain names used to control the malware processes, Equation Group let about 20 of them expire. Kaspersky quickly registered those domains and used them to monitor incoming connections to determine malware reporting for duty, a process called “sinkholing.” One domain controlled computers infected with the 2003-era EquationLaser, which apparently was still receiving updates from infected machines in Russia, China, Iran, and India some 12 years later.

In addition to information gleaned from sinkholing Equation Group domains and from correlating Equation Group malware with Regin and Stuxnet, clues to the mysterious Equation Group were found in the malware code. In at least 13 instances, Equation Group programmers failed to scrub their code of identifying traits, such as referencing the “Grok” keylogger by name in the file reference “-standalonegrok_2.1.1.1” and referencing a directory path of “c:\users\rmgree5” belonging to one of the developer accounts, which, if not random, could correspond to a developer’s name or handle.

“There are only two possible explanations: either no one told me, or no one knows.” – Neo, Matrix Reloaded

Despite the errors that may have led to Equation Group’s discovery, the fact that the group managed to go undetected for at least 14 years is a fait accompli unlike any other. Costin Raiu, director of Kaspersky Lab’s global research and analysis team told Ars that about 90 percent of the command and control servers were shut down in 2014, leading one to wonder if, like the Natanz-targeted payload of Stuxnet, Equation Group’s malware has already achieved its intended purpose. Because so much of the platform remains encrypted, researchers can only speculate and try to crack the code, a feat being met with some success following Equation Group’s growing publicity.

Even without the details behind Equation Group, its discovery alone is thrilling and terrifying.

“Their incredible skills and high tech abilities, such as infecting hard drive firmware on a dozen different brands, are unique across all the actors we have seen and second to none,” Raiu said. “As we discover more and more advanced threat actors, we understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown.”

The revelation also brings into question what role cybersecurity and cyberwarfare will have in geopolitics in years to come. Following revelations about the Stuxnet virus and Regin, it is evident that the United States has taken an offensive stance when it comes to cyberwarfare, willing to punch preemptively, if covertly, to detect and neutralize threats before they manifest themselves.

An offensive stance may not be unreasonable when it comes to cyberwarfare. While America has its Second Amendment-guaranteed arsenal of guns, the Internet has its de facto-guaranteed arsenal of viruses and malware. Guns can be used defensively, to target specific threats that enter your domain; viruses, on the other hand, are purely offensive weapons, designed to infect and spread without regard to domain or direction.

In that sense, viruses act much like biological weapons, their namesake, or perhaps like bombs. Wired even ran an article likening Equation Group to the cyber-equivalent of the Manhattan Project that developed the first atomic bomb. Like the Manhattan Project, Equation Group is purely offensive, an attack system designed to strike first before someone strikes us. Unlike the Manhattan Project, Equation Group was not created in response to, and deployed to end, the threat of a specific nation state waging war on the United States.

While Equation Group malware has unprecedented targeting capabilities to only execute attacks against specific, identified targets, the only way the malware can identify the target is to indiscriminately infect a multitude of machines and hope the virus spreads to its intended target. It would be much the same as engineering a deadly retrovirus designed to kill only Adolf Hitler, then releasing the virus to infect every person in Europe. Perhaps the collateral damage would be much better than killing 135,000 Japanese civilians through incineration and radiation poisoning. Then again, since the United States has not formally been engaged in war since World War II and military engagement has not been authorized by Congress since the Iraq war, one might question why cyber-offensive capabilities are being used at all, especially when the Pentagon has declared any cyberattack on the U.S. as an “act of war.”

Continue on to Part IV.

Or, in case you missed them: Part I and Part II of this series.


Follow redOrbit on TwitterFacebookGoogle+, Instagram and Pinterest.