Equation Group: The creator of digital espionage

For several years, the World Research and Analysis Group of the Kaspersky Lab has closely monitored more than 60 advanced threat actors, which are responsible for digital worldwide.

Experts of the company have seen almost everything, attacks have become increasingly complex, as even states have been involved in these activities and have tried to "equip" themselves with the most advanced tools.

However, only now, its experts Kaspersky Lab they were able to confirm that they have discovered a threat carrier that goes beyond anything known for the complexity and expertise of its techniques. In fact, this body has been active for almost two decades! This is the team Equation GROUP.Equation Group Equation Group Equation Group Equation Group

According to Kaspersky Lab researchers, this group is unique in almost every aspect of its activities. It uses highly sophisticated and costly tools to deploy victims, recover data, and hide their activity in an extremely professional manner, using classic spy techniques to transport malicious loads to the victims.

Για να «μολύνει» τα θύματά της, η ομάδα αυτή χρησιμοποιεί ένα ισχυρό «οπλοστάσιο» με «εμφυτεύματα» (Trojans), συμπεριλαμβανομένων και των ακολούθων (βάσει ονομασιών που έχουν αποδοθεί από την Kaspersky Lab): Equation Laser, Equation Drug, Double , Triple Fantasy, Fanny και Gray Fish. Χωρίς αμφιβολία, θα υπάρξουν και άλλα ενεργά «εμφυτεύματα» εκτός των προαναφερθέντων.

Equation Group

What makes the Equation Group unique?

Absolute perseverance and concealment  

Kaspersky Lab's Worldwide Research and Analysis Team has been able to recover two units that allow the reprogramming of firmware hard drives from more than 12 popular manufacturers. This is probably the most powerful tool in the Equation Group's arsenal and the first known malware to be capable of "infecting" hard drives.

Equation Group 1

"A particular risk is that once the hard drive is" infected "with this malicious charge, it is impossible to scam the firmware. To put it simply: on most hard drives there are functions for writing to the firmware area, but there are no functions to read again. This means that we are almost blind and we are unable to locate hard drives that are "infected" by this malicious software ", warns Costin Raiu, Director of Kaspersky Lab's Worldwide Research and Analysis Group.

Possibility to retrieve data from individual networks

The worm "Fanny" stands out from all the attacks made by the Equation Group. Its main purpose was to map air gap networks. In other words, understand the topology of networks that are not accessible and execute commands on these individual systems. For this purpose, a single USB-based command and control mechanism is used that allowed attackers to transfer data to and from networks with "air gap".

In particular, an uninfected USB stick with hidden storage was used to collect basic system information from a computer not connected to the Internet, as well as to send it to the C&C mechanism when the USB was connected to an infected computer. by the "Fanny" worm and was connected to the Internet. If the attackers wanted to execute commands on "air gap" networks, they could store the commands in the USB cache. Once the USB was connected to the computer with "air gap", "Fanny" recognized the commands and executed them.

Classic espionage methods for transferring malicious software

The attackers used general methods to "infect" their targets, not only via the internet but also in the physical world. For this reason, they used an interception technique, stealing items and replacing them with their respective Trojan versions. One such example involved targeting participants at a scientific conference in Houston. On their way home, some of the participants received a copy of the conference materials on CD-ROM, which was then used to install the "Double Fantasy" Trojan on the target device. The exact method by which the CDs were made available is unknown.

Familiar friends: Stuxnet and Flame

There are strong indications that the Equation Group has interacted with other powerful groups, such as the operators of Stuxnet and Flame. In general, this particular group seems to have been in a position of superiority compared to other actors The Equation Group had access to zero-day threats, before they were used by Stuxnet and Flame. To some extent, they shared with others.

For example, in 2008 "Fanny" used two zero-day threats introduced on Stuxnet in June 2009 and March 2010. One of Stuxnet's zero-days was actually a Flame unit operating the same vulnerabilities and which was detached directly from the Flame platform and integrated into Stuxnet.

Strong and geographically distributed infrastructure

Equation Group uses a huge C&C infrastructure that includes more than 300 domains and over 100 servers. The servers are hosted in many countries, such as the USA, the United Kingdom, Italy, Germany, the Netherlands, Panama, Costa Rica, Malaysia, Colombia and the Czech Republic. Kaspersky Lab currently uses sinkholing methods for over 20 of the 300 C&C servers.

Thousands of high profile victims worldwide

Since 2001, the Equation Group has "infected" thousands or perhaps even tens of thousands of victims in more than 30 countries. Victims are in the following sectors: Government and Diplomatic Organizations, Telecommunications, Aerospace, Energy, Nuclear , Πετρέλαιο και Φυσικό Αέριο, Στρατιωτικοί Οργανισμοί και Νανο. Επίσης, στράφηκε εναντία σε ισλαμιστές ακτιβιστές, επιστήμονες, Μέσα Μαζικής Επικοινωνίας, εταιρείες μεταφορών, χρηματοοικονομικά ιδρύματα και εταιρείες που αναπτύσσουν τεχνολογίες κρυπτογράφησης.

Localization

Kaspersky Lab noticed seven exploits used by the Equation Group in homonymous malicious software. At least four of these were used as zero-day threats. In addition, we have seen the use of unknown exploits, probably zero-day, aimed at Firefox 17, in the same way they are used in the Tor browser.

At the "infection" stage, the team has the ability to use ten exploits in a chain. However, Kaspersky Lab's experts noted that no more than three are used. If the first is not successful, try with another, and then with the third one. If all three exploits fail, they do not "pollute" the system.

Kaspersky Lab products identified a number of attacks on users. Many of these attacks have been unsuccessful thanks to Automatic Exploit Prevention, which detects and prevents the exploitation of unknown vulnerabilities. The "Fanny" worm was probably created in July of 2008, and it was first detected and included in the black list of Kaspersky Lab's automated systems in December of 2008.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).