The last two years have been filled with revelations about NSA surveillance activities and the sophisticated spy tools the agency uses to take control of everything from individual systems to entire networks. Now it looks like researchers at Kaspersky Lab may have uncovered some of these NSA tools in the wild on customer machines, providing an extensive new look at the spy agency’s technical capabilities. Among the tools uncovered is a worm that appears to have direct connections to Stuxnet, the digital weapon that was launched repeatedly against centrifuges in Iran beginning in late 2007 in order to sabotage them. In fact, researchers say the newly uncovered worm may have served as a kind of test run for Stuxnet, allowing the attackers to map a way to targeted machines in Iran that were air-gapped from the internet.
Kaspersky have dubbed the attackers the Equation Group because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations, with the researchers considering them “the most advanced threat actor” they’ve seen to date.
The victims of Equation group were observed in more than 30 countries, the largest being Iran, but there is also high-infection rates in countries like Russia, Pakistan, and China. United States and United Kingdom are also listed as targets. Equation group has infected thousands throughout the world, in sectors ranging from government, military, finance, energy, and media, among others.
For nearly a year, Kaspersky have been gradually collecting components of Equation Group’s digital spy platforms that they say have been in use and development since 2001, possibly even as early as 1996, with researchers calling them “one of the most sophisticated cyber attack groups in the world.”
Kaspersky first came upon the Equation Group in March 2014, while researching the Regin malware (believed to have been created by Britain’s GCHQ spy agency) that infected computers belonging to the European Union and Belgian telecom Belgacom, among others. In the process, company researchers analyzed a computer located in the Middle East and dubbed the machine “Magnet of Threats” because, in addition to Regin, it was infected by four other highly advanced pieces of malware, including Turla, Careto/Mask, ItaDuke (See Also MiniDuke), and Animal Farm. A never-before-seen sample of malware on the computer piqued researchers’ interest and turned out to be an EquationDrug module, part of the Equation Group’s suite of surveillance tools.
In all, Kaspersky has tied at least six distinct pieces of malware to Equation Group:
As they pieced together components, they were able to establish a timeline and see that EquationLaser was an early-generation implant the attackers used between 2001 and 2004, while EquationDrug was the next-generation tool that came into use sometime around 2003. It was continuously developed and expanded by the attackers until 2013. Over time, it became a robust and full-blown platform composed of numerous plug-ins or modules that could be remotely slipped on to an infected system at will, once the attackers established a foothold on it.
EquationDrug was supplanted by the even more sophisticated GrayFish. Two versions of GrayFish have been uncovered—the first apparently developed in 2008 and the second in 2012, based on compilation timestamps. EquationDrug stopped being used in mid-2013 right around the time the first leaks from NSA whistleblower Edward Snowden were published. The first evidence of GrayFish 2.0 being used in the wild appeared shortly after those first leaks.
The new platforms, developed in succession with each one surpassing the previous in sophistication, can give the attackers complete and persistent control of infected systems for years, allowing them to siphon data and monitor activities while using complex encryption schemes and other sophisticated methods to avoid detection. The platforms also include an innovative module, the likes of which Kaspersky has never seen before, that re-flashes or reprograms a hard drive’s firmware with malicious code to turn the computer into a slave of the attackers.
Last week, it was reported that the NSA was preparing for a new leak about their cyber intelligence gathering capabilities. According to anonymous U.S. intelligence officials, the new disclosures would not be from Edward Snowden’s cache or another whistleblower, but instead were uncovered by a non-U.S. cybersecurity firm operating from Mexico, with a report anticipated to be released within days. Though Kaspersky Lab was founded in Russia, it operates in almost 200 countries throughout the world, including Mexico. And three days after officials warned of the upcoming leak, Kaspersky released a report on Equation Group at their 2015 Security Analysts Summit held where? You guessed it, Mexico. Coincidence? I think not.
Although the researchers have no solid evidence that the NSA is behind the tools and decline to make any attribution to that effect, there is circumstantial evidence that points to this conclusion. A keyword—GROK—found in a keylogger component appears in NSA documents leaked by Edward Snowden to The Intercept that describe a keylogger by the same name. There are other connections to an NSA spy tool catalog leaked to other journalists in 2013. The 53-page catalog details—with pictures, diagrams and secret codenames—an array of complex devices and capabilities available to intelligence operatives. The capabilities of several NSA tools identified by the codenames UNITEDRAKE, STRAITBIZZARE, FOXACID, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE. Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions—they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.
Other evidence possibly pointing to the NSA is the fact that five victims in Iran who were infected with Equation Group components were also key victims of Stuxnet, which was reportedly created and launched by the U.S. and Israel.
Some machines infected by Equation Group are the “patients zero” that were used to seed the Stuxnet worm so it would travel downstream and infect Iran’s Natanz facility. “It is quite possible that the Equation Group malware was used to deliver the Stuxnet payload,” Kaspersky wrote in their report.
Kaspersky wouldn’t identify the Iranian victims hit by the Equation tools, but the five key Stuxnet victims have been previously identified as five companies in Iran, all contractors in the business of building and installing industrial control systems for various clients. Stuxnet targeted industrial control systems used to control centrifuges at a uranium-enrichment plant near Natanz, Iran. The companies—Neda Industrial Group, Kala Electric, Behpajooh, CGJ (believed to be Control Gostar Jahed) and Foolad Technic—were infected with Stuxnet in the hope that contractors would carry it into the enrichment plant on an infected USB stick. This link between the Equation Group and Stuxnet raises the possibility that the Equation tools were part of the Stuxnet attack, perhaps to gather intelligence for it.
Methods of Infection
To infect victims, Equation Group used multiple methods—such as the Fanny worm or infected USB sticks and zero-day exploits. They also used web-based exploits to infect visitors to certain web sites. The researchers counted at least seven exploits the attackers used, at least four of which were zero-days at the time.
The newly uncovered worm created by the Equation Group, which the researchers are calling Fanny after the name of one of its files, has an equally intriguing connection to Stuxnet. It uses two of the same zero-day exploits that Stuxnet used, including the infamous .LNK zero-day exploit that helped Stuxnet spread to air-gapped machines at Natanz—machines that aren’t connected to the internet.
The .LNK exploit in Fanny has a dual purpose—it allows attackers to send code to air-gapped machines via an infected USB stick but also lets them surreptitiously collect intelligence about these systems and transmit it back to the attackers. Fanny does this by storing the intelligence in a hidden file on the USB stick; when the stick is then inserted into a machine connected to the internet, the data intelligence gets transferred to the attackers. EquationDrug also makes use of the .LNK exploit. A component called SF loads it onto USB sticks along with a trojan to infect machines.
The other zero-day Fanny uses is an exploit that Stuxnet used to gain escalated privileges on machines in order to install itself seamlessly.
Head of Kaspersky’s Global Research and Analysis Team Costin Raiu said he thinks Fanny was an early experiment to test the viability of using self-replicating code to spread malware to air-gapped machines and was only later added to Stuxnet when the method proved a success.
It could have also been used for a different operation entirely, and its developers simply shared the exploits with the Stuxnet crew. The vast majority of Fanny infections detected so far are in Pakistan. Kaspersky has found no infections in Iran. This suggests Fanny was likely created for a different operation.
Pakistan’s nuclear weapons program, like Iran’s, has long been a U.S. concern. The centrifuge designs used in Iran’s uranium-enrichment plant at Natanz came from Pakistan—a Pakistani scientist helped jumpstart Iran’s nuclear program with them. Information about the NSA’s black budget, leaked by Snowden to the Washington Post in 2013, shows that Pakistan’s nuclear program, and the security of its nuclear weapons, is a huge concern to U.S. intelligence and there is “intense focus” on gaining more information about it. “No other nation draws as much scrutiny across so many categories of national security concern,” the Post wrote in a story about the budget.
Kaspersky found only one version of Fanny. It arrived in their virus collection system in December 2008 but went unnoticed in their archive until last year. Raiu doesn’t konw where the Fanny file came from—possibly another anti-virus firm’s shared collection.
GrayFish works on all the latest Windows operating systems as well as Windows 2000. It’s the most sophisticated platform of the Equation Group suite. Its components all reside in the registry of infected systems, making the malware nearly invisible to detection systems.
GrayFish uses a highly complex multi-stage decryption process to unpack its code, decrypting and executing each stage in strict order, with each stage containing the key to unlock the subsequent one. GrayFish only begins this decryption process, however, if it finds specific information on the targeted machine, which it then uses to generate the first key to launch the decryption. This allows the attackers to tailor the infection to specific machines and not risk having it decrypt on unwanted systems. The magic key that initiates this process is generated by running a unique ID associated with one of the computer’s folders through the SHA-256 algorithm 1,000 times.
The technique makes it impossible for researchers to access the final payload without possessing the raw disk image for each individual infected machine. This closely resembles one used to conceal a potentially potent warhead in Gauss (1) (2), a piece of highly advanced malware that shared strong technical similarities with both Stuxnet and Flame. (Stuxnet, according to The New York Times, was a joint operation between the NSA and Israel, while Flame, according to The Washington Post, was devised by the NSA, the CIA, and the Israeli military.) The final hash becomes the key to unlock the malware and launch the nested decryption scheme.
Gauss had a mysterious payload that has never been unlocked because it can only be decrypted by a key generated by running specific data on the targeted machine through the MD5 algorithm 10,000 times. The scheme, as used in both GrayFish and Gauss, not only serves to prevent the malware from unleashing on non-targeted machines, it also prevents security researchers and victims from unlocking the code without knowing the specific data needed to generate the hash/decryption key.
In addition to the encryption scheme, GrayFish uses a sophisticated bootkit to hijack infected systems. Each time the computer reboots, GrayFish loads malicious code from the boot record to hijack the booting process and give GrayFish complete command over the operating system, essentially making GrayFish the computer’s operating system. If an error occurs during this process, however, the malware will immediately halt and self-destruct, leaving the real Windows operating system to resume control, while GrayFish quietly disappears from the system.
But the most impressive GrayFish component is one that can be used to reflash the firmware of hard drives. More: Suspected NSA Super-Malware Rewrites Hard Drive Firmware Making It Impossible to Detect or Remove
One of the most interesting cases of infection concerned a scientist who was targeted after visiting the U.S.
The scientist had attended an international scientific conference in Houston, Texas sometime around 2009 and received the infection on a conference CD-ROM sent to him after he returned home. The disk contained a slideshow of photos from the gathering. But it also contained three exploits, two of them zero-days, that triggered malware from the Equation Group to load to his machine.
Kaspersky software on the scientist’s machine triggered an alert and sent a sample of the malware to Kaspersky’s archive, but the researchers only discovered it last year when they began investigating the Equation Group’s operations. They were able to identify and contact the victim. Raiu won’t name the scientist or indicate his area of research, but he likened the attack to a recent one that occurred against noted Belgian cryptographer and academic Jean-Jacques Quisquater. Quisquater’s computer had been infected with the Regin spy tool.
The CD from the 2009 Houston conference—which Kaspersky declined to identify, except to say it was related to science—tried to use the autorun.inf mechanism in Windows to install malware dubbed DoubleFantasy. Kaspersky knows that conference organizers did send attendees a disc, and the company knows the identity of at least one conference participant who received a maliciously modified one, but company researchers provided few other details and don’t know precisely how the malicious content wound up on the disc.
“It would be very easy to trace the attack back to the organizers and point them out, and this could in turn result in some very serious diplomatic incidents,” Raiu said. “Our best guess is that the organizers didn’t act in a malicious way against the participants, but [that] some of the CD-ROMs on their way to the participants were intercepted and replaced with the malicious variants.”
Documents leaked by Edward Snowden describe NSA and CIA interdiction efforts that involve intercepting computer hardware as it’s in transit from a factory or seller and then implanting it with spy tools before repackaging it and sending it on to the customer. The same method might have been used in this case. It’s not known if other conference attendees received infected disks.
Even less is known about a CD for installing Oracle 8i-8.1.7 for Windows sent six or seven years earlier, except that it installed an early Equation Group malware program known as EquationLaser.
The conference and Oracle CDs are the only Equation Group interdictions that Kaspersky researchers have discovered.
A far more common infection vector was Web-based attacks that exploited vulnerabilities in Oracle’s Java software framework or in Internet Explorer. The exploits were hosted on a variety of websites related to everything from reviews of technology products to discussions of Islamic Jihad. In addition to planting exploits on the websites, the attack code was also transmitted through ad networks. The wide range of exploit carriers may explain why so many of the machines Kaspersky observed reporting to its sinkholes were domain controllers, data warehouses, website hosts, and other types of servers. Equation Group, it seems, wasn’t infecting only end user computers—it was also booby-trapping servers known to be accessed by targeted end users.
One of the exploits had been used before in the so-called Aurora attack that struck Google in late 2009. That hack was attributed to China, but the Kaspersky researchers say the Equation Group apparently recycled it to use in their own later attack against government targets in Afghanistan.
Equation Group exploits are notable for the surgical precision exercised to ensure that only an intended target was infected. One Equation Group-written PHP script that Kaspersky unearthed, for instance, checked if the MD5 hash of a website visitor’s username was either 84b8026b3f5e6dcfb29e82e0b0b0f386 or e6d290a03b70cfa5d4451da444bdea39. The plaintext corresponding to the first hash is “unregistered,” an indication that attackers didn’t want to infect visitors who weren’t logged in. The second hash has
yet to be deciphered Update: now been cracked (غير مسجل / “unregistered”); see this brief.
The PHP script also took special care not to infect IP addresses based in Jordan, Turkey, and Egypt. Kaspersky observed users visiting the site who didn’t meet any of these exceptions, yet they still weren’t attacked—an indication that an additional level of filtering spared all but the most sought-after targets who visited the site.
More recently, Kaspersky has observed malicious links on the site standardsandpraiserepurpose[.]com that looked like:
Where the h value (that is, the text following the “h=”) appears to be an SHA1 hash. Kaspersky has yet to crack those hashes, but company researchers suspect they’re being used to serve customized exploits to specific people. The company is recruiting help from fellow white-hat hackers in cracking them. Other hashes include:
The PHP exploit code also serves unique Web pages and HTML code to people visiting with iPhones, behavior that Kaspersky found telling.
“This indicates the exploit server is probably aware of iPhone visitors and can deliver exploits for them as well,” Kaspersky’s report published Monday explained, “Otherwise, the exploitation URL can simply be removed for these.”
The report also said one sinkholed server receives visits from a large pool of China-based machines that identify themselves as Macs in the browser user agent string. While Kaspersky has yet to obtain Equation Group malware that runs on OS X, they believe it exists.
No matter how elite a hacking group may be, Raiu said, mistakes are inevitable. Equation Group made several errors that allowed Kaspersky researchers to glean key insights into an operation that went unreported for at least 14 years.
Following the discovery, Kaspersky researchers combed through their cloud-based Kaspersky Security Network of exploits and infections reported by AV users and looked for similarities and connections. In the following months, the researchers uncovered additional pieces of malware used by Equation Group as well as the domain names used to host command channels.
Perhaps most costly to the attackers was their failure to renew some of the domains used by these servers. Out of the 300 or so domains used, about 20 were allowed to expire. Kaspersky quickly registered the domains and, over the past ten months, has used them to “sinkhole” the command channels, a process in which researchers monitor incoming connections from Equation Group-infected machines.
One of the most severe renewal failures involved a channel that controlled computers infected by “EquationLaser,” an early malware platform abandoned around 2003 when antivirus programs began to detect it. The underlying domain name remained active for years until one day, it didn’t; Kaspersky acquired it and EquationLaser-infected machines still report to it.
“It’s really surprising to see there are victims around the world infected with this malware from 12 years ago,” Raiu said. He continues to see about a dozen infected machines that report from countries that include Russia, Iran, China, and India.
Raiu said 90 percent or more of the command and control servers were closed last year, although some remained active as recently as last month.
The sinkholes have allowed Kaspersky researchers to gather key clues about the operation, including the number of infected computers reporting to the seized command domains, the countries in which these compromised computers are likely located, and the types of operating systems they run.
Other key mistakes were variable names, developer account names, and similar artifacts left in various pieces of Equation Group malware. In the same way cat burglars wear gloves to conceal their fingerprints, attackers take great care to scrub such artifacts out of their code before releasing it. But in at least 13 cases, they failed. Possibly the most telling artifact is the string “-standalonegrok_220.127.116.11” that accompanies a highly advanced keylogger tied to Equation Group.
Another potentially damaging artifact found by Kaspersky is the Windows directory path of “c:\users\rmgree5” belonging to one of the developer accounts that compiled Equation Group malware. Assuming the rmgree5 wasn’t a randomly generated account name, it may be possible to link it to a developer’s real-world identity if the handle has been used for other accounts or if it corresponds to a developer’s real-world name such as “Richard Gree” or “Robert Greenberg.”
Kaspersky researchers still don’t know what to make of the 11 remaining artifacts, but they hope fellow researchers can connect the strings to other known actors or incidents. The remaining artifacts are:
- prkMtx – unique mutex used by the Equation Group’s exploitation library (gPrivLibh)
- “SF” – as in “SFInstall”, “SFConfig”
- “UR”, “URInstall” – “Performing UR-specific post-install…”
- “implant” – from “Timeout waiting for the “canInstallNow” event from the implant-specific EXE!”
- STEALTHFIGHTER (VTT/82055898/STEALTHFIGHTER/2008-10-16/14:59:06.229-04:00
- DRINKPARSLEY – (Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00)
- STRAITACID – (VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00)
- LUTEUSOBSTOS – (VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00)
- STRAITSHOOTER – STRAITSHOOTER30.exe
- DESERTWINTER – c:\desert~2\desert~3\objfre_w2K_x86\i386\DesertWinterDriver.pdb
Although the Equation Group findings are significant, they still represent only a very small subset of nation-state malware out in the wild from not only the U.S. but other actors as well. And given that the samples Kaspersky found are at least a year old, they may not be state-of-the-art any more.
“The thing that scares me the most is that we don’t have any samples from the Equation Group from 2014,” Raiu says, suggesting the group’s capabilities may have already been surpassed by even more sophisticated wares.