For several years, the World Research and Analysis Group of the Kaspersky Lab has closely followed more than 60 advancedthreat actors, who are responsible for digital attacks around the world.
Experts of the company have seen almost everything, attacks have become increasingly complex, as even states have been involved in these activities and have tried to "equip" themselves with the most advanced tools.
However, only now, its experts Kaspersky Lab they were able to confirm that they have discovered a threat carrier that goes beyond anything known for the complexity and expertise of its techniques. In fact, this body has been active for almost two decades! This is the team Equation GROUP.
According to researchers of Kaspersky Lab, this team is unique in almost every aspect of its activities. It uses highly complex and expensive to develop tools to "contaminate" victims, retrieve data and hide its activity in a highly professional manner, leveraging classic espionage techniques to deliver malicious payloads to victims.
In order to "infect" its victims, this group uses a powerful "arsenal" with "implants" (Trojans), including the following (based on names assigned by Kaspersky Lab): Equation Laser, Equation Drug, Double Fantasy , Triple Fantasy, Fanny and Gray Fish. Without doubt, there will be other active "implants" other than those mentioned above.
What makes the Equation Group unique?
Absolute perseverance and concealment
Kaspersky Lab's Worldwide Research and Analysis Team has been able to recover two units that allow the reprogramming of firmware hard drives from more than 12 popular manufacturers. This is probably the most powerful tool in the Equation Group's arsenal and the first known malware to be capable of "infecting" hard drives.
"A particular risk is that once the hard drive is" infected "with this malicious charge, it is impossible to scam the firmware. To put it simply: on most hard drives there are functions for writing to the firmware area, but there are no functions to read again. This means that we are almost blind and we are unable to locate hard drives that are "infected" by this malicious software ", warns Costin Raiu, Director of Kaspersky Lab's Worldwide Research and Analysis Group.
Possibility to retrieve data from individual networks
The worm "Fanny" stands out from all the attacks made by the Equation Group. Its main purpose was to map air gap networks. In other words, understand the topology of networks that are not accessible and execute commands on these individual systems. For this purpose, a single USB-based command and control mechanism is used that allowed attackers to transfer data to and from networks with "air gap".
In particular, an uninfected USB stick with hidden storage was used to collect basic system information from a computer not connected to the Internet, as well as to send it to the C&C mechanism when the USB was connected to an infected computer. by the "Fanny" worm and was connected to the Internet. If the attackers wanted to execute commands on "air gap" networks, they could store the commands in the USB cache. Once the USB was connected to the computer with "air gap", "Fanny" recognized the commands and executed them.
Classic espionage methods for transferring malicious software
The attackers used general methods to "infect" their targets, not only via the internet but also in the physical world. For this reason, they used an interception technique, stealing items and replacing them with their respective Trojan versions. One such example involved targeting participants at a scientific conference in Houston. On their way home, some of the participants received a copy of the conference materials on CD-ROM, which was then used to install the "Double Fantasy" Trojan on the target device. The exact method by which the CDs were made available is unknown.
Familiar friends: Stuxnet and Flame
There are serious indications that the Equation Group has been interacting with other powerful teams like Stuxnet and Flame. In general, this group seems to be superior to other players. Equation Group had access to zero-day threats before they were even used by Stuxnet and Flame. To some extent, they shared exploits with others.
For example, in 2008 "Fanny" used two zero-day threats introduced on Stuxnet in June 2009 and March 2010. One of Stuxnet's zero-days was actually a Flame unit operating the same vulnerabilities and which was detached directly from the Flame platform and integrated into Stuxnet.
Strong and geographically distributed infrastructure
Equation Group uses a huge C&C infrastructure that includes more than 300 domains and over 100 servers. The servers are hosted in many countries, such as the USA, the United Kingdom, Italy, Germany, the Netherlands, Panama, Costa Rica, Malaysia, Colombia and the Czech Republic. Kaspersky Lab currently uses sinkholing methods for over 20 of the 300 C&C servers.
Thousands of high profile victims worldwide
Since 2001, the Equation Group has "infected" thousands or perhaps even tens of thousands of victims in more than 30 countries. Victims are in the following sectors: Government and Diplomatic Organizations, Telecommunications, Aerospace, Energy, Nuclear Research, Oil and Gas, Military Organizations and Nanotechnology. It also targeted Islamic activists, scientists, mass media, transport companies, financial institutions and technology companies. encryptions.
Localization
Kaspersky Lab noticed seven exploits used by the Equation Group in homonymous malicious software. At least four of these were used as zero-day threats. In addition, we have seen the use of unknown exploits, probably zero-day, aimed at Firefox 17, in the same way they are used in the Tor browser.
At the "infection" stage, the team has the ability to use ten exploits in a chain. However, Kaspersky Lab's experts noted that no more than three are used. If the first is not successful, try with another, and then with the third one. If all three exploits fail, they do not "pollute" the system.
The productKaspersky Lab detected a number of attack attempts against users. Many of these attacks were not successful, thanks to Automatic Exploit Prevention technology, which detects and prevents the exploitation of unknown vulnerabilities. The 'Fanny' worm was probably created in July 2008, and was first detected and blacklisted by Kaspersky Lab's automated systems in December 2008.
