Is NSA 'World's most advanced threat actor' revealed by Kaspersky?

News by Tim Ring

Equation Group, the most advanced threat actor yet seen according to Kaspersky, may be the NSA.

There is strong speculation that the so-called Equation Group – which infected the hard drive firmware of Seagate, Maxtor, Toshiba and others, and hit political and commercial targets in over 30 countries in the last 15 to 20 years - is America's NSA.

Kaspersky has released an explosive new report that reveals the activities of the “the most advanced threat actor ever seen”, the so-called Equation Group which has hacked tens of thousands of political and commercial targets in more than 30 countries, including the UK, over the last 15 to 20 years.

Kaspersky stops short of revealing the group's true identity, but there is strong speculation that it is the NSA, America's main intelligence agency.

Kaspersky calls Equation “one of the most sophisticated cyber-attack groups in the world” and reveals: “One aspect of the group's attack technologies that exceeds anything we have ever seen before is the ability to infect hard drive firmware.”

Equation successfully planted its malware inside the firmware of every major disk manufacturer in the world, including Seagate, Maxtor, Western Digital, Samsung, Toshiba and others.

The group used several other attack tools, including full-featured backdoors, Trojans, computer worms and zero-day bugs, to attack victims in over 30 countries.

Its main targets were in Iran, Russia, Pakistan, Afghanistan, India, China, Syria and Mali, but Equation also hit victims in the UK, US, France, Germany, Belgium and Switzerland.

Kaspersky says they were mainly political and military targets, including governments, diplomatic institutions and Islamic activists and scholars, as well as commercial firms in areas like aerospace, energy, nuclear research, financial institutions and companies developing cryptographic technologies.

Damningly, Kaspersky also documents one case where Equation physically intercepted CD-ROMs being posted to people attending a conference in Houston, Texas by the organisers, and replaced them with Trojanised versions infected with its so-called ‘DoubleFantasy' malware.

Kaspersky stops short of naming the NSA as the perpetrator, but points out Equation used zero-day bugs that were later exploited in the (believed to be NSA-led) Stuxnet attack on Iran's nuclear industry and others. It adds: “It is quite possible that the Equation group's malware was used to deliver the Stuxnet payload.”

SC asked cyber-experts if the evidence was strong enough to point to the US Government and the NSA.

Sean Sullivan, a security adviser with F-Secure which closely studies nation-state cyber-attacks, was convinced.

He told “Through all the other past research, the other campaigns we've seen from other nation-states that we can attribute to Russia or China - they don't have the same level of sophistication.

“It's a process of elimination. There's only one nation on earth that has that kind of scale and that kind of expertise. It's America. I don't know if we can say definitively it's NSA, but it's the United States of America. It couldn't be anybody else.”

Sullivan pointed out that the Equation Group's activity “went into a higher gear” in 2001, the time of the 9/11 terrorist attacks on the US.

He added: “I think Kaspersky's being cautious about it because if they say ‘NSA', then people are going to cast doubt on their research and make it political.

“They are just being cautious as a company, which is unfortunate that they have to do, because I think the research does speak for itself. That's my explanation as to why they're being cagey about it. It's not that they have any doubts.”

But Professor Alan Woodward of Surrey University, a cyber-security adviser to Europol, said the evidence was not conclusive.

He told “If what they are trying to imply is it's a government agency, and more particularly the NSA, if you took it into court I don't think it would pass the test of ‘beyond reasonable doubt'.

“I don't think it's definitive either way. The fact that different groups have found a vulnerability and they're exploiting it doesn't mean they are the same group. It's suggestive but will it stand up in a court of law?

“I think the report has got a lot of very good detail and technical information but some of the linkages are a little tenuous.”

Reuters news report also quotes Kaspersky lead researcher Costin Raiu as saying Equation Group could only have infected disk drives by obtaining the manufacturers' soruce code – leading to speculation that the companies may have handed over their code to the NSA.

But Sean Sullivan pointed out that Equation could have got the source code by reverse engineering the drives, simply stealing it, or via manufacturers being asked to show their source code to governments for ‘review'.

In its report, Kaspersky said all the malware it collected targeted Microsoft Windows devices, but other indicators suggest Equation could also infect Mac OS X computers and Apple iPhones.

Kaspersky also concludes Equation is different to the ‘Regin' nation-state attack group which was exposed last November and whose use of decidedly English terms like LEGSPIN , WILLISCHECK and HOPSCOTCH pointed the finger of blame at GCHQ.

Kaspersky said: “The Equation group surpasses Regin in sophistication and resources.”

The Russian-origin cyber-firm first discovered Equation when it was investigating a computer in the Middle East that was infected with Regin and other advanced malware, but also found “another module which did not appear to be part of the Regin infection, nor any of the other APTs”.

Kaspersky named the group ‘Equation' because of its “love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations”. Equation used a specific implementation of the RC5 encryption algorithm throughout its malware, with more recent modules using RC6, RC4 and AES.

Sullivan warned of one negative outcome from Kaspersky's report: “The problem with this kind of research is that nation-states who aren't at this level are going to say, ‘so that's how you do things the right way'. It gives them a blueprint, and that's not a good thing.”

Costin Raiu, director of the global research and analysis team at Kaspersky Lab, told via email: "We are not able to confirm the conclusions that journalists came up with. Kaspersky Lab experts worked on the technical analysis of the group's malware, and we don't have hard proof to attribute the Equation Group or speak of its origin.

“With threat actor groups as skilled as the Equation team, mistakes are rare, and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews