A new report by the Moscow-based cybersecurity firm Kaspersky Lab revealed sophisticated cyber attacks by state-sponsored hackers, labelled the Equation Group. “The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen,” states the paper, presented at conference in Mexico this Monday.
Kaspersky Lab has a policy not to name the countries thought to be behind hacking attacks, but other reports alleged the Equation Group is connected to U.S. intelligence agencies. Reuters reports that two former National Security Agency (NSA) employees confirmed the validity of the analysis and said that operatives within the NSA “valued these spying programs as highly as Stuxnet.” The National Security Agency is the U.S. government’s lead agency in conducting sophisticated cyber espionage abroad. The report also states that, that “the Equation group and the Stuxnet developers are either the same or working closely together.” Various security experts have traced back the Stuxnet attacks to the U.S. and Israeli governments.
The report traces attacks from this “highly sophisticated threat actor” as far back as 2001, and possibly even 1996. A total of 30 countries have been and continue to be affected by these spying programs with the highest infection rates in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen, and Algeria. Targets in these countries include government institutions, nuclear research facilities, the military, and telecommunication companies.
“Combining statistics from KSN and our sinkhole, we counted more than 500 victims worldwide. A lot of infections have been observed on servers, often domain controllers, data warehouses, website hosting and other types of servers. At the same time, the infections have a self-destruct mechanism, so we can assume there were probably tens of thousands of infections around the world throughout the history of the Equation group’s operations,” the report notes.
What makes the attacks so sophisticated is the Equation Group’s ability to infect the hard drive firmware of a computer (a code that launches every time a computer is turned on), a skill-set that “exceeds anything we have ever seen before,” the Kaspersky researchers underline. According to the report, the Equation Group hackers were able to rewrite the hard-drive software of infected computers, which makes the normal attack recovery procedures (replacing the hard drive, reformatting the drive, wiping a computer’s operating system and reinstalling software) ineffective, since spyware manipulating firmware is impossible to detect or remove. The New York Times quotes a U.S. cybersecurity succinctly summarizing the only option available: “You have to replace the computer to recover from that attack.”
Infecting a computer’s firmware is also the most effective way of capturing a computer’s encryption passwords and other valuable information. A Kaspersky Lab analyst notes that this could not have been possible without access to proprietary hard drive source codes from tech companies, raising questions as to precisely how the allegedly state-sponsored hackers obtained that information. “This is an incredibly complicated thing that was achieved by these guys, and they didn’t do it for one kind of hard drive brand. It’s very dangerous and bad because once a hard drive gets infected with this malicious payload it’s impossible for anyone, especially an antivirus [provider], to scan inside that hard drive firmware,” the analyst elaborates.
Due to the sophisticated nature of these attacks it is very likely that the United States is behind the Equation Group. Indeed, a former intelligence operative confirmed to Reuters that the NSA is able to conceal such spyware in hard drives. An analysis by Dan Goodin at Ars Technica concludes that:
“The money and time required to develop the Equation Group malware, the technological breakthroughs the operation accomplished, and the interdictions performed against targets leave little doubt that the operation was sponsored by a nation-state with nearly unlimited resources to dedicate to the project. The countries that were and weren’t targeted, the ties to Stuxnet and Flame, and the Grok artifact found inside the Equation Group keylogger strongly support the theory the NSA or a related U.S. agency is the responsible party.”
He furthermore notes: “What is safe to say is that the unearthing of the Equation Group is a seminal finding in the fields of computer and national security, as important, or possibly more so, than the revelations about Stuxnet.” It remains to be seen how these revelations will impact the diplomatic relations of the United States with the countries affected by these sophisticated attacks.