Equation cyberspies use unrivaled, NSA-style techniques to hit Iran, Russia

The group's attack on hard-drive firmware is one of the most advanced ever discovered, Kaspersky Lab said

A group of cyberspies called Equation that uses similar techniques as the NSA has struck at least 30 countries using never-before-seen malware that infects hard disk drives.

A group of cyberspies called Equation that uses similar techniques as the NSA has struck at least 30 countries using never-before-seen malware that infects hard disk drives.

A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia.

Kaspersky Lab released a report Monday that said the tools were created by the "Equation" group, which it stopped short of linking to the U.S. National Security Agency.

The tools, exploits and malware used by the group -- named after its penchant for encryption -- have strong similarities with NSA techniques described in top-secret documents leaked in 2013.

Countries hit the most by Equation include Iran, Russia, Pakistan, Afghanistan, India and China. Targets in those countries included the military, telecommunications, embassies, government, research institutions and Islamic scholars, Kaspersky said.

Kaspersky's most striking finding is Equation's ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software.

The malware reprograms the hard drive's firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn't affect it, and the hidden storage sector remains.

"Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability," said Costin Raiu, director of Kaspersky Lab's global research and analysis team, in a phone interview Monday.

Drives made by Seagate Technology, Western Digital Technologies, Hitachi, Samsung Electronics and Toshiba can be modified by two of Equation's hard disk drive malware platforms, "Equationdrug" and "Grayfish."

The report said Equation has knowledge of the drives that goes way beyond public documentation released by vendors.

Equation knows sets of unique ATA commands used by hard drive vendors to format their products. Most ATA commands are public, as they comprise a standard that ensures a hard drive is compatible with just about any kind of computer.

But there are undocumented ATA commands used by vendors for functions such as internal storage and error correction, Raiu said. "In essence, they are a closed operating system," he said.

Obtaining such specific ATA codes would likely require access to that documentation, which could cost a lot of money, Raiu said.

The ability to reprogram the firmware of just one kind of drive would be "incredibly complex," Raiu. Being able to do that for many kinds of drives from many brands is "close to impossible," he said.

"To be honest, I don't think there's any other group in the world that has this capability," Raiu said.

It appears Equation has been far, far ahead of the security industry. It's almost impossible to detect this kind of tampering, Raiu said. Reflashing the drive, or replacing its firmware, is also not foolproof, since some types of modules in some types of firmware are persistent and can't be reformatted, he said.

Given the high value of this exploitation technique, Equation very selectively deployed it.

"During our research, we've only identified a few victims who were targeted by this," Kaspersky's report said. "This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances."

Another of Kaspersky's intriguing findings is Fanny, a computer worm created in 2008 that was used against targets in the Middle East and Asia.

To infect computers, Fanny used two zero-day exploits -- the term for a software attack that uses an unknown software vulnerability -- that were also coded into Stuxnet, Kaspersky said. Stuxnet, also a Windows worm, was used to sabotage Iran's uranium enrichment operations. It is thought to be a joint project between the U.S. and Israel.

It's unlikely the use of the same zero-days was a coincidence. Kaspersky wrote that the similar use of the vulnerabilities means that the Equation group and the Stuxnet developers are "either the same or working closely together."

"They are definitely connected," Raiu said.

Both Stuxnet and Fanny were designed to penetrate "air-gapped" networks, or those isolated from the Internet, Kaspersky said.

The Equation group also used "interdiction" techniques similar to those used by the NSA in order to deliver malicious software to targets.

Kaspersky described how some participants of a scientific conference held in Houston later received a CD-ROM of materials. The CD contained two zero-day exploits and a rarely-seen malware doorstop nicknamed "Doublefantasy."

It is unknown how the CDs were tampered with or replaced. "We do not believe the conference organizers did this on purpose," Kaspersky said. But such a combination of exploits and malware "don't end up on a CD by accident," it said.

The NSA's Office of Tailored Access Operations (TAO) specializes in intercepting deliveries of new computer equipment, one of the most successful methods of tapping into computers, wrote Der Spiegel in December 2013, citing a top secret document.

The German publication was one of several that had access to tens of thousands of spy agency documents leaked by former NSA contractor Edward Snowden.

Kaspersky uncovered the trail of the Equation group after investigating a computer belonging to a research institute in the Middle East that appeared to be the Typhoid Mary for advanced malware.

Raiu said the machine had French, Russian and Spanish APT (advanced persistent threat) samples on it among others, showing it had been targeted by many groups. It also had a strange malicious driver, Raiu said, which upon investigation lead to the extensive command-and-control infrastructure used by Equation.

Kaspersky analysts found more than 300 domains connected with Equation, with the oldest one registered in 1996. Some of the domain name registrations were due to expire, so Kaspersky registered around 20 of them, Raiu said.

Most of the domain names aren't used by Equation anymore, he said. But three are still active. The activity, however, doesn't lend much of a clue as to what Equation is up to these days, as the group changed its tactics in late 2013.

"Those three [domains] are very interesting," Raiu said. "We just don't know what malware is being used."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurityencryptionExploits / vulnerabilitiesmalwarekaspersky lab

More about APTKasperskyNational Security AgencyNSASamsungSeagateSeagate TechnologySpiegelTechnologyToshibaWestern Digital

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place