Kaspersky Lab discovers the ancestor of Stuxnet, Flame
By Digital News Asia February 18, 2015
- Equation Group is the crown creator of cyber-espionage
- Group uses C&C infrastructure covering 300 domains, 100 servers
KASPERSKY Lab’s Global Research and Analysis Team (GReAT) has discovered a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades – the Equation Group.
According to Kaspersky Lab, the group is unique almost in every aspect of its activities. It uses tools that are very complicated and expensive to develop, in order to infect victims, retrieve data and hide activity in an outstandingly professional way and utilise classic spying techniques to deliver malicious payloads to victims.
To infect its victims, the group uses a powerful arsenal of “implants” (trojans) including the following that have been named by Kaspersky Lab: EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Without a doubt there will be other “implants” in existence, said Kaspersky Lab in a statement.
What makes the Equation Group unique?
Ultimate persistence and invisibility
GReAT has been able to recover two modules which allow reprogramming of the hard drive firmware of more than a dozen of the popular hard disk drive (HDD) brands. This is perhaps the most powerful tool in the Equation Group’s arsenal and the first known malware capable of infecting the hard drives.
By reprogramming the hard drive firmware (rewriting the hard drive’s operating system), the group achieves two purposes:
1. An extreme level of persistence that helps to survive disk formatting and OS reinstallation. If the malware gets into the firmware, it is available to “resurrect” itself forever. It may prevent the deletion of a certain disk sector or substitute it with a malicious one during system boot.
“Another dangerous thing is that once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware. To put it simply, for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” warns Costin Raiu (pic), director of GReAT.
2. The ability to create an invisible, persistent area hidden inside the hard drive. It is used to save exfiltrated information which can be later retrieved by the attackers. Also, in some cases it may help the group to crack the encryption.
“Taking into account the fact that its GrayFish implant is active from the very boot of the system, it has the ability to capture the encryption password and save it into this hidden area,” explains Raiu.
Ability to retrieve data from isolated networks
The Fanny worm stands out from all the attacks performed by the Equation Group. Its main purpose was to map air-gapped networks. In other words – to understand the topology of a network that cannot be reached, and to execute commands to those isolated systems. For this, it used a unique USB-based command and control (C&C) mechanism which allowed the attackers to pass data back and forth from air-gapped networks.
In particular, an infected USB stick with a hidden storage area was used to collect basic system information from a computer not connected to the Internet and to send it to the C&C server when the USB stick was plugged into a computer infected by Fanny and had an Internet connection.
If the attackers wanted to run commands on the air-gapped networks, they could save these commands in the hidden area of the USB stick. When the stick was plugged into the air-gapped computer, Fanny recognised the commands and executed them.
Classic spying methods to deliver malware
The attackers use universal methods to infect targets: Not only through the Web, but also in the physical world. For that, they use an interdiction technique – intercepting physical goods and replacing them with “trojanised” versions.
One such example involved targeting participants at a scientific conference in Houston. Upon returning home, some of the participants received a copy of the conference materials on a CD-ROM which was then used to install the group’s DoubleFantasy implant into the target’s machine. The exact method by which these CDs were interdicted is unknown.
There are solid links indicating that the Equation Group has interacted with other powerful groups, such as the Stuxnet and Flame operators – generally from a position of superiority. The Equation Group had access to zero-days before they were used by Stuxnet and Flame, and at some point they shared exploits with others.
The Equation Group uses a vast C&C infrastructure that includes more than 300 domains and more than 100 servers. The servers are hosted in multiple countries, including the United States, Britain, Italy, Germany, the Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic. Kaspersky Lab is currently sinkholing a couple dozen of the 300 C&C servers.
Since 2001, the Equation Group has been busy infecting thousands, or perhaps even tens of thousands of victims in more than 30 countries worldwide.
Kaspersky Lab observed seven exploits used by the Equation Group in its malware. At least four of these were used as zero-days. In addition to this, the use of unknown exploits was observed, possibly zero-day, against Firefox 17, as used in the Tor browser.
During the infection stage, the group has the ability to use 10 exploits in a chain. However Kaspersky Lab's experts observed that no more than three are used. If the first one is not successful, they try with another one, and then with the third one. If all three exploits fail, they don't infect the system.
To learn more about the Equation Group, go to Securelist.com.