For several years, the World Research and Analysis Group of the Kaspersky Lab has closely watched more than 60 advanced threats, who are responsible for digital attacks around the world.
Experts of the company have seen almost everything, attacks have become increasingly complex, as even states have been involved in these activities and have tried to "equip" themselves with the most advanced tools.
However, only now, its experts Kaspersky Lab they were able to confirm that they have discovered a threat carrier that goes beyond anything known for the complexity and expertise of its techniques. In fact, this body has been active for almost two decades! This is the team Equation GROUP.
According to Kaspersky Lab researchers, this group is unique in almost every aspect of its activities. It uses highly sophisticated and costly tools to deploy victims, recover data, and hide their activity in an extremely professional manner, using classic spy techniques to transport malicious loads to the victims.
In order to "infect" its victims, this group uses a powerful "arsenal" with "implants" (Trojans), including the following (based on names assigned by Kaspersky Lab): Equation Laser, Equation Drug, Double Fantasy , Triple Fantasy, Fanny and Gray Fish. Without doubt, there will be other active "implants" other than those mentioned above.
What makes the Equation Group unique?
Absolute perseverance and concealment
Kaspersky Lab's Worldwide Research and Analysis Team has been able to recover two units that allow the reprogramming of firmware hard drives from more than 12 popular manufacturers. This is probably the most powerful tool in the Equation Group's arsenal and the first known malware to be capable of "infecting" hard drives.
"A particular risk is that once the hard drive is" infected "with this malicious charge, it is impossible to scam the firmware. To put it simply: on most hard drives there are functions for writing to the firmware area, but there are no functions to read again. This means that we are almost blind and we are unable to locate hard drives that are "infected" by this malicious software ", warns Costin Raiu, Director of Kaspersky Lab's Worldwide Research and Analysis Group.
Possibility to retrieve data from individual networks
The worm "Fanny" stands out from all the attacks made by the Equation Group. Its main purpose was to map air gap networks. In other words, understand the topology of networks that are not accessible and execute commands on these individual systems. For this purpose, a single USB-based command and control mechanism is used that allowed attackers to transfer data to and from networks with "air gap".
In particular, an uninfected USB stick with hidden storage was used to collect basic system information from a computer not connected to the Internet, as well as to send it to the C&C mechanism when the USB was connected to an infected computer. by the "Fanny" worm and was connected to the Internet. If the attackers wanted to execute commands on "air gap" networks, they could store the commands in the USB cache. Once the USB was connected to the computer with "air gap", "Fanny" recognized the commands and executed them.
Classic espionage methods for transferring malicious software
The attackers used general methods to "infect" their targets, not only via the internet but also in the physical world. For this reason, they used an interception technique, stealing items and replacing them with their respective Trojan versions. One such example involved targeting participants at a scientific conference in Houston. On their way home, some of the participants received a copy of the conference materials on CD-ROM, which was then used to install the "Double Fantasy" Trojan on the target device. The exact method by which the CDs were made available is unknown.
Familiar friends: Stuxnet and Flame
There are serious indications that the Equation Group has been interacting with other powerful teams like Stuxnet and Flame. In general, this group seems to be superior to other players. Equation Group had access to zero-day threats before they were even used by Stuxnet and Flame. To some extent, they shared exploits with others.
For example, in 2008 "Fanny" used two zero-day threats introduced on Stuxnet in June 2009 and March 2010. One of Stuxnet's zero-days was actually a Flame unit operating the same vulnerabilities and which was detached directly from the Flame platform and integrated into Stuxnet.
Strong and geographically distributed infrastructure
Equation Group uses a huge C&C infrastructure that includes more than 300 domains and over 100 servers. The servers are hosted in many countries, such as the USA, the United Kingdom, Italy, Germany, the Netherlands, Panama, Costa Rica, Malaysia, Colombia and the Czech Republic. Kaspersky Lab currently uses sinkholing methods for over 20 of the 300 C&C servers.
Thousands of high profile victims worldwide
From 2001, the Equation Group has "infected" thousands or even tens of thousands of victims in more than 30 countries. Victims are in the following areas: Government and Diplomatic Organizations, Telecommunications, Aeronautics, Energy, Nuclear Research, Oil and Natural Gas, Military Organizations and Nanotechnology. He also turned against Islamic activists, scientists, mass media, transport companies, financial institutions and companies developing encryption technologies.
Kaspersky Lab noticed seven exploits used by the Equation Group in homonymous malicious software. At least four of these were used as zero-day threats. In addition, we have seen the use of unknown exploits, probably zero-day, aimed at Firefox 17, in the same way they are used in the Tor browser.
At the "infection" stage, the team has the ability to use ten exploits in a chain. However, Kaspersky Lab's experts noted that no more than three are used. If the first is not successful, try with another, and then with the third one. If all three exploits fail, they do not "pollute" the system.
Kaspersky Lab products identified a number of attacks on users. Many of these attacks have been unsuccessful thanks to Automatic Exploit Prevention, which detects and prevents the exploitation of unknown vulnerabilities. The "Fanny" worm was probably created in July of 2008, and it was first detected and included in the black list of Kaspersky Lab's automated systems in December of 2008.