Code name found in Equation group malware suggests link to NSA

The name matches an NSA project listed in a secret document leaked by Edward Snowden

As security researchers continue to analyze malware used by a sophisticated espionage group dubbed the Equation, more clues surface that point to the U.S. National Security Agency being behind it.

In February, Russian antivirus firm Kaspersky Lab released an extensive report about a group that has carried out cyberespionage operations since at least 2001 and possibly even as far back as 1996. The report detailed the group's attack techniques and malware tools.

The Kaspersky researchers have dubbed the group Equation and said that its capabilities are unrivaled. However, they didn't link the group to the NSA or any other intelligence agency, despite similarities between its tools and those described in secret NSA documents leaked by Edward Snowden.

Kaspersky found code names like SKYHOOKCHOW, DRINKPARSLEY, LUTEUSOBSTOS, STRAITACID, STRAITSHOOTER in the malware used by the Equation group. While these were not a direct match to NSA code names known so far, they bear a striking resemblance to some of them.

A secret document leaked by Snowden and published by German news magazine Der Spiegel contains a list of project names from NSA's Tailored Access Operations (TAO) division. The list includes names like SKYJACKBRAD, DRINKMINT and LUTEUSASTRO. According to a different document, the NSA has a malware implant called STRAITBIZZARE and refers to computers infected with it as QUANTUM shooters. It also has a program called FOXACID.

The Kaspersky researchers found an Equation malware component called "standalonegrok." According to a December report in The Intercept, the NSA has a keylogger named GROK.

However, the most direct link came Wednesday, when Kaspersky Lab published a technical analysis of the main malware framework used by the Equation group. In the report, the company's researchers revealed another code name recently found in the malware: BACKSNARF_AB25. The BACKSNARF code name is listed in the previously mentioned document about NSA TAO projects.

The malware platform, which was dubbed EquationDrug, has a modular architecture and resembles a mini operating system, the Kaspersky researchers said. So far 30 of its plug-ins have been found, but the platform might have more than 115 modules, each implementing different functionality.

Statistics based on compilation time stamps found in the EquationDrug samples collected so far suggest that its developers are working almost exclusively from Monday to Friday and are likely located in the UTC-3 or UTC-4 time zones, if we assume that they start work at 8 or 9 am. Time stamps in malware samples are not always reliable, because developers can alter them, but in the case of EquationDrug, the Kaspersky researchers believe they look "very realistic."

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security Agencysecurityspywaremalwarekaspersky lab

More about KasperskyNational Security AgencyNSASpiegel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts