The Equation Group: a new degree of sophistication in APT attacks

The Equation Group, what do we know so far?

The topic of APT’s and state sponsored espionage has been back the news over the last few weeks. Based in the excellent and in-depth report of Kaspersky Labs “Equation Group: Questions and answers“, it seems that the level of sophistication involved in these types of attacks has increased in complexity and daring. What or who is the Equation Group?

The Equation Group (EG) is the name that has been given to the threat actors who have been operating for at least the last 15 years.

Equation Group

Why have they been called the Equation Group?

This is due to the group’s use of algorithms and obfuscation techniques. In particular it is the use of RC5 encryption algorithm. That said, we have also seen the use of RC6 and AES in more up to date modules.

It would appear that they have been working with and supported the creators of Stuxnet and Flame. How do we know this?

The EG has used the same LNK vulnerability exploited by Stuxnet. This is the use of LNK files that are copied on to a USB storage device.

What types of malware are being used by the EG?

The means of implementing and distributing the malware is module in nature.

There is in fact a plugin in system, which means it can be changed on the fly and based on the needs of the attack type, this is the attack platform. The different types of plugins distribute backdoors, worms, bootkits etc. The first step in the attack cycle is to establish (through the use of a Trojan) if the target is the intended one, if so, it will be passed on to the attack platform.

Once a device is infected by default, a number of key modules will be deployed onto the infected asset. What this allows for is complete control of the OS. The malware has built into it the ability to update itself with further modules in order to expand its functionality. It would appear that so far there are 35 unique plugin’s for the attack platform.

What is the attack vector used?

What is particularly intriguing about this group is their particular use of hardware of as an infection method. They have used physical media such as CD’s and discs to deliver their payload. The modules used by the EQ group look to reprogram the hard drive firmware on an infected machine. This provides the EG group with two very distinct capabilities:

  1. Stay persistent on the compromised device.
  2. Have the ability to hide stolen data on a hidden storage partition.

How long has the EQ group been active?

One way to take stab at trying to answer this question is by looking at when the C&C’s that have been used by the EG were registered. Some of the C&C’s that have been discovered date back to 1996. One can extrapolate from this that this is that is the date when it was mostly likely that the malware associated with the EG was deployed. This does highlight (taking into account that its almost been two decades since the EG has been active) the complexity of the challenge all organisations face when trying to detect and defend against state sponsored APT attacks.

What industry verticals have been attacked?

The list below is not exhaustive but a small snap shot of the targeted industry verticals

  1. Financial institutions
  2. Oil & Gas
  3. Transportation
  4. Telecoms

Are you prepared?

The Equation Group represents the most sophisticated computer attack group that has ever come out into the public domain. It is clear that it has its disposal a wealth of technical and financial resources. Is it possible to detect? Well it appears virtually almost impossible to detect if one takes into account its lifespan before it was discovered. The degree of sophistication involved in the attack is highly impressive. There is the highly advanced key logger referenced as Grok, then there is the bypassing of code- signing restrictions, its ability to map air gapped networks, the use of the virtual file system, the distribution of malicious files in different locations in the windows registry with encryption rendering anti virus solutions almost useless. What this does inform the larger connected world is that expect to be attacked and expect to be compromised. The key here is how quickly can you as an organisation or business close down the window of opportunity that malicious actors open. Reduce that to its narrowest point possible and give yourself a fighting chance to ensure to that no significant harm is caused.

Nahim Fazal,

Head Of International Cyber Security Business Development     

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP