Wednesday, February 18, 2015

Massive cyber-spying program 'the Equation Group' discovered




Hacker

An incredibly sophisticated cyber espionage operation, likely originating in the U.S., has been discovered by the security researchers at Russia's Kaspersky Lab.
Dubbed the Equation Group, this "threat actor" has been using spyware and malware tools to infect computers of governments, telecoms, military, nuclear research, energy and other companies in more than 30 countries. Kaspersky did not say who's behind Equation, but its findings, presented during a security conference in Cancun, Mexico on Monday, indicate the group's malware is closely tied to Stuxnet, a virus developed by the U.S. and Israel, used to infect Iran's nuclear plants (it ended up infecting Russia's plant as well).
The Equation's level of sophistication and the scale of its operation makes Stuxnet seem like child play, according to Kaspersky's report.
Equation has been active perhaps as early as 1996, but it boosted its operations in 2008, developing several incredibly powerful cyberweapons. Kaspersky named these tools Equationdrug, Doublefantasy, Triplefantasy, Grayfish, Fanny and Equationlaser. Together, this malware suite was able to infect Windows computers, USB sticks and even hard drive firmware, letting Equation steal data from targeted computers and stay undetected for years.
Perhaps the most interesting tools mentioned in the report are modules that are used together with the Equationdrug and Grayfish malware platforms, enabling Equation to reprogram the firmware of hard drives built by all major manufacturers, including Maxtor, Seagate, Western Digital and Samsung. 

Once a hard drive was infected, even formatting it and reinstalling an OS would not be sufficient to get rid of the malware.
Kaspersky observed victims of the Equation group in more than 30 countries, including Iran, Russia, Syria, Afghanistan, Hong Kong, Mexico, United States, France, Switzerland, United Kingdom and India. Interestingly, there are indications that Equation specifically avoided infecting computers in Jordan, Turkey and Egypt.
equation group

A global map of victims of the Equation group's cyberwarfare operations.
IMAGE: KASPERSKY LAB
All in all, Kaspersky counted more than 500 infections globally, many on important, server-type machines. However, infections have a self-destruct mechanism, meaning there may have been many more, which are now undetectable.
Kaspersky's report offers more details about Equation's actions, targets and the tools the group used. The most important takeaway is that there's an organization out there (and it's probably not alone) with immense knowledge and resources that can precisely and invisibly target and steal data from nearly any computer — even the best guarded, including those belonging to government or military.
Kaspersky's findings have been announced after the company publicized its discovery one of the largest banking cyber-heists ever, with hackers stealing as much as $1 billion from banks all over the world.
Update: While Kaspersky's report is pretty thorough when it comes to technical details, the clues about the origins of the Equation group are inconclusive. We reached to Kaspersky for comment, and this is the response we got:
"Kaspersky Lab experts worked on the technical analysis of the group's malware, and we don't have hard proof to attribute the Equation Group or speak of its origin. With threat actor groups as skilled as the Equation team, mistakes are rare, and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups."

Once a hard drive was infected, even formatting it and reinstalling an OS would not be sufficient to get rid of the malware.

No comments:

Post a Comment