EQUATION GROUP

Allegedly tied to the Tailored Access Operations(TAO) Unit of the Unite States National Security Agency(NSA)

  • Their attacks go all the way back to 2001 (there’s rumors that they might actually go all the way back to 1996)

  • The group was discovered by Kaspersky Lab in 2014.

  • The group’s name comes from their extensive use of encryption.

  • Their primary targets: Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali

one of the most sophisticated cyber attack groups in the world and the most advanced we have ever seen.
— kaspersky lab

The level of sophistication of this group is quite unusual. The quality and complexity of their work suggest a highly trained & coordinated attack campaign development team with multiple layers of review and oversight. The code, process, and procedures are aligned with military precision, suggesting work that only the resources of a nation-state could adequately fund.

Some of their techniques:

  • T1480-Execution Guardrails

  • T1564-Hide Artifacts

  • T1120-Peripheral Device Discovery

  • T1542-Pre-OS Boot Component Firmware

    The Equation Group’s victims fall into many different categories, some of them include…Governments & Diplomatic Institutions, Telecommunications, Aerospace, Energy, Nuclear Research, Oil & Gas, Military, Transportation, Islamic Activists & Scholars, Financial Institutions, Cryptographic Technology Companies, and many more..

An example of the group’s sophistication is their ability to infect the hard drive firmware. Equation Group’s malware toolset became public knowledge in 2016 when the group known as the Shadow Brokers leaked them.

Kaspersky refers to Equation Group as the “crown creator of cyber espionage”

SOME OF THE TOOLS & MALWARE USED BY EQUATION GROUP:

EQUATIONDRUG- An extremely complex attack platform. It suggests a module plugin system, which can be dynamically uploaded & unloaded by the attackers. (This is also known as EQUESTRE)

DOUBLEFANTASTY- A validator-style Trojan, created with the intention to confirm the target once the target is confirmed it will be upgraded to a more sophisticated platform like EQUATIONDRUG or GRAYFISH.

GRAYFISH- This is the most sophisticated attack platform from the Equation Group. It resides completely in the registry, relying on a bootkit to gain execution at OS start up.

TRIPLEFANTASY- Full-featured backdoor sometimes used with GRAYFISH. Appears to be an upgrade to DOUBLEFANTASY.

FANNY- Worm created in 2008 that was used to gather information about targets in the Middle East & Asia. FANNY used exploits for two zero-day vulnerabilities which were later discovered with STUXNET.

EQUATIONLASER- This was an early implant from the group and was used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG.

All the C & C domains the Equation Group appear to use have been registered through the same two major registrars, using “Domains by Proxy” to make the registrant’s information legit. Their C & C infrastructure includes over 300 domains and more than 100 servers. The servers are hosted in several different countries, including: the U.S., the UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia, and the Czech Republic.

7 exploits found by kaspersky lab that have been used by equation group(at least 4 of these were used as zero-days):

  • Windows Kernel EOP exploit used in Stuxnet in 2009. Fixed with MS09-025. (CVE unknown)

  • CVE-2012-0159 (fixed with MS12-034)

  • CVE-2013-3894 (fixed with MS13-081)

  • CVE-2010-2568 (used by Stuxnet)

  • CVE-2013-3918

  • CVE-2012-1723

  • CVE-2012-4681

According to Kaspersky’s research in 2015 “The similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION GROUP and the Stuxnet developers are either the same or working closely together. Click here to read my write up on Stuxnet.