What You Need to Know About ‘Equation Group,’ the Scariest Cyber-Espionage Group Ever

A simple explanation of why this hacking operation is the godfather of the world's most pervasive spying programs

Kaspersky describes the Equation Group as "The Death Star of Malware Galaxy."  (Image: Kaspersky)
Kaspersky describes the Equation Group as “The Death Star of Malware Galaxy.” (Image: Kaspersky

In a report released on Monday, a spying program more pervasive and sophisticated than almost any other ever was uncovered by Kaspersky Labs, a Moscow-based cybersecurity firm that has helped dig up a variety of spying operations in the past. Kaspersky’s team calls the operation the “Equation Group” for the brilliant encryption techniques they’ve used to cloak their activities.

Sign Up For Our Daily Newsletter

By clicking submit, you agree to our <a rel="nofollow noreferer" href="http://observermedia.com/terms">terms of service</a> and acknowledge we may use your information to send you emails, product samples, and promotions on this website and other properties. You can opt out anytime.

See all of our newsletters

In the spirit of making sure everyone who reads this understands it, we’re going to go through the basics of what you need to know about the group being called the Death Star of the Malware Galaxy. We’ll start with the question of why we’ve never heard of the Equation Group before, even though the program is almost two decades old, and possibly run by the NSA.

How were they discovered?

While researching another program in March of last year, Kaspersky Labs got ahold of a computer in the Middle East that was considered a high value target. The computer had absorbed attacks from a vast myriad of high-level agents—a veritable beehive of viruses—so they held on to it for further study. They call this computer the “Magnet of Threats,” and it’s where the ran into the first few programs from the Equation Group.

“This computer was infected by every superpower in the world,” Costin Raiu, head of Kaspersky’s Global Research and Analysis Team, told the Observer. “France, Germany, Spain, Russia—and on top of all of these, there was something unknown. So we started looking into this particular malware.”

The 500+ hard drives found by Kaspersky to be compromised by the equasion group were found in 30 different countries. (Photo: Kaspersky)
Kaspersky found compromised hard drives in 30 different countries. (Photo: Kaspersky)

Kaspersky went on to collect over 500 hard drives that were infected with these programs—highly sophisticated viruses that burrowed deep into a system and then became untraceable by traditional means. They noticed that this collection of programs was using a custom coding library, and used it to link the various programs and bugs together into a group. Once they ran an algorithm to search for similarities, they kept finding more and more of them.

This is how they discovered that one party, the organization they now call the Equation Group, was responsible for these pervasive programs. Kaspersky still believes there are more undiscovered programs out there.

What do the Equation Group programs do?

Ultimately, the tools developed by the Equation Group are for surveillance and control of computers around the world. Equation Group programs allow for whoever is behind them to collect information, remotely execute commands and sometimes completely take control of a system.

Because they’ve been around for so long, the Equation Group has developed a whole suite of tools for infiltrating computers and networks. Some of these programs—which have been given names by Kaspersky—include:

  • Fanny: A computer worm that can infiltrate networks that aren’t even connected to the Internet.
  • Greyfish: The Group’s most contemporary malware implant and totally invisible to virus detection, Greyfish maneuvers itself to take control of your computer while it’s booting up and self-destructs if it doesn’t execute its take-over seamlessly.
  • DoubleFantasy: This one latches on to a computer and determines whether or not it’s an “interesting” target, then installs EquationDrug or Greyfish.
  • EquationDrug: A program that gives the Equation Group full takeover of the host computer. It’s fully upgradable, which is helpful, considering that EquationDrug is possibly as old as Windows 95.

Cyberthreats seem invisible and meaningless, unless you can see them with your own eyes. Here's the Google Earth of cyberwarfare.

Equation Group spyware also removes traces of itself once it’s deemed its host no longer important or interesting. Some of the programs have counters on them to keep track of how many times they’ve reproduced. One counter found by Kaspersky began in July, 2008 at 51,000 infections. In three months, it increased to 58,000 infections and then stopped counting. It was the most recent counter found.

The Equation Group uses classic espionage tactics like hand-delivering their payloads through USB sticks and hardware tampering—they’re not doing all of this from the safety of their homes and offices. But that’s not the only thing that makes the Equation Group impressive.

Why are these hackers more frightening than any others?

Kaspersky, Ars Technica and a number of analysts are calling the Equation Group one of most sophisticated hacking operations ever uncovered. There’s a few reason for this:

The first is just how deep their work penetrates a computer system. Kaspersky uncovered Equation Group malware that infiltrates a system’s firmware, or the software that loads before your OS even has a chance to boot up. It’s like if your body contracted a sickness, but the sickness reached so far back into your brain that it simply blinded you to every symptom.

The Equasion Group was able to get into the firmware of 12 different drive manufacturers, including Seagate, Western Digital and Samsung. (Image: Kaspersky)
The Equasion Group was able to get into the firmware of 12 different drive manufacturers, including Seagate, Western Digital and Samsung. (Image: Kaspersky)

The second is just how old the program is. The Equation Group has managed to remain undetected at least as early as 2001, and perhaps as long ago as 1996. They also had ability to penetrate air-gapped networks, or computers that aren’t connected to the Internet at large. The aforementioned virus “Fanny” is delivered via a USB stick to one of these networks, and then stick around spreading itself and giving commands before waiting on additional instructions from the Equation Group.

But the most striking thing about the Equation Group is their bottomless resources. Their command and control infrastructure includes over 300 domains across more than 100 servers in 10 separate countries. And, as previously mentioned, the Equation Group has been able to sneak their spyware onto hard drives during transit as they moved through the U.S. mail system, which leads to the question…

Who is the Equation Group?

Kaspersky declined to outright name the United States National Security Agency (NSA) as the governing body behind the Equation Group, but there are a number of factors that point to the NSA as the responsible party.

One is the resources and scope of their operation. The number of servers, the longevity of the programs and the domestic mail tampering make it difficult to identify a culprit who isn’t the United States government. And a cursory look at the above map shows that the high-penetration target states of Equation Group programs include targets of U.S. foreign interests like Pakistan, Russian, China, Iran and Syria—the United States is relatively low on the list, and the Equation Group servers were administered in ally countries.

But the most stark evidence for U.S. involvement is that the operatives of the Equation Group were obviously related to the development of other NSA programs like Stuxnet, a worm that was designed to attack industrial infrastructure, including a nuclear power plant in Iran. Edward Snowden eventually tied Stuxnet to the NSA.

The NSA hasn’t taken accountability for the program, but gave the Observer this statement last night:

We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details. On January 17, 2014, the President gave a detailed address about our signals intelligence activities, and he also issued Presidential Policy Directive 28 (PPD-28). As we have affirmed publicly many times, we continue to abide by the commitments made in the President’s speech and PPD-28. The U.S. Government calls on our intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats – including terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against ourselves and our allies; and international criminal organizations.

Additionally, a Reuters reporter got confirmation from two former government sources that the kind of deep firmware hacking done by the Equation Group is within the NSA’s portfolio, though they couldn’t point to specific spy programs that relied on those methods.

It may be some time before anyone is able to determine who is behind the work of the Equation Group, but since Kaspersky released their report, various crackers and reporters are closing in on new details. One pair of engineers have deciphered an Equation Group hash, and going back through old forums, there are instances of early warnings of Equation Group activities that now make sense in light of the new revelations.

We expect there is much more to come. You can read the full report from Kaspersky here:

[protected-iframe id=”3139534e43d1ea1eddc302524a59ef7b-35584880-62410434″ info=”https://www.scribd.com/embeds/256163060/content?start_page=1&view_mode=scroll&show_recommendations=true” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

What You Need to Know About ‘Equation Group,’ the Scariest Cyber-Espionage Group Ever