Your Source for Leaks Around the World!

Archive for the ‘Malware’ Category

Hacking Team Hacked: 400GB Data Dump of Internal Documents/Emails/Source Code from Notorious Spyware Dealer

In Archive, Hacking, Hacking Team, Malware, Surveillance, WikiLeaks on July 7, 2015 at 9:07 AM



The controversial Italian surveillance company Hacking Team, which sells spyware to governments all around the world, including agencies in Ethiopia, Morocco, the United Arab Emirates, as well as the US Drug Enforcement Administration, has been seriously hacked.

Hackers have made 400GB of client files, contracts, financial documents, and internal emails, some as recent as 2015, publicly available for download.

What’s more, the unknown hackers announced their feat through Hacking Team’s own Twitter account.


Torrent Links:!Xx1lhChT!rbB-LQQyRypxd5bcQnqu-IMZN20ygW_lWfdHdqpKH3E
Source Codes:

Last year, a hacker who only went by the name “PhineasFisher” hacked the controversial surveillance tech company Gamma International, a British-German surveillance company that sells the spyware software FinFisher. He then went on to leak more than 40GB of internal data from the company, which has been long criticized for selling to repressive governments.


That same hacker has now claimed responsibility for the breach of Hacking Team, that sells a similar product called Remote Control System Galileo.

Lorenzo Franceschi-Bicchierai/Motherboard:

On Sunday night, I reached out to the hacker while he was in control of Hacking Team’s Twitter account via a direct message to @hackingteam. Initially, PhineasFisher responded with sarcasm, saying he was willing to chat because “we got such good publicity from your last story!” referring to a recent story I wrote about the company’s CEO claiming to be able to crack the dark web.

Afterwards, however, he also claimed that he was PhineasFisher. To prove it, he told me he would use the parody account he used last year to promote the FinFisher hack to claim responsibility.

“I am the same person behind that hack,” he told me before coming out publicly.

The hacker, however, declined to answer to any further questions.

The leak of 400GB of internal files contains “everything,” according to a person close to the company, who only spoke on condition of anonymity. The files contain internal emails between employees; a list of customers, including some, such as the FBI, that were previously unknown; and allegedly even the source code of Hacking Team’s software, its crown jewels.




Download Spreadsheet

Download Spreadsheet


Download Spreadsheet


Screenshot shows an email dated 2014 from Hacking Team’s founder and CEO David Vincenzetti to another employee. In the email, titled “Yet another Citizen Lab attack,” Vincenzetti links to a report from the online digital rights research center Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, which has exposed numerous cases of abuse from Hacking Team’s clients.


Hacking Team has never revealed a list of its clients, and has always and repeatedly denied selling to sketchy governments, arguing that it has an internal procedure to address human rights concerns about prospective customers.

The email about Citizen Lab is filed in a folder called “Anti HT activists.”






via Thomas Fox-Brewster/Forbes:

In-depth notes on the level of exploitation across a number of Android devices, from the likes of Samsung, HTC and Huawei. It appears the exploits weren’t always successful in accessing voice or texts on phones.

Hacking Team operations manager Daniele Milan’s email from January indicated some imminent features in Hacking Team’s tools included “physical infection of BitLocker protected disks”, thereby bypassing the much-used Microsoft disk encryption technology, as well as “extraction of information from pictures posted on Facebook and Twitter”. It will also soon be able to “capture of documents edited using Google Docs or Office 365”, the roadmap suggested.

Another email from Milan, dated 15 May, indicated the security-focused messaging application Wickr was on the target list too, thanks to a request from the US government. “I had a call this morning with an agent from Homeland Security Investigations [a body within the Department of Homeland Security], and he told me he got some requests to intercept suspects using this application, Wickr… we may want to keep an eye on it and eventually evaluate to add support.”

via Dan Goodin/ArsTechnica:

Another document boasts of Hacking Team’s ability to bypass certificate pinning and the HTTP strict transport security mechanisms that are designed to make HTTPS website encryption more reliable and secure. “Our solution is the only way to intercept TOR traffic at the moment,” the undated PowerPoint presentation went on to say.

Elsewhere, the document stated: “HTTPS Everywhere enforces https and could send rogue certificates to the EFF SSL Observatory.” HTTPS Everywhere is a browser extension developed by the Electronic Frontier Foundation that ensures end users use HTTPS when connecting to a preset list of websites. The statement appears to be a warning that any fraudulent certificates Galileo relies on could become public if used against HTTPS Everywhere users when they have selected an option to send anonymous copies of HTTPS certificates to EFF’s SSL Observatory database.


Renowned cryptographer Bruce Schneier: “The Hacking Team CEO, David Vincenzetti, doesn’t like me:”

In another [e-mail], the Hacking Team CEO on 15 May claimed renowned cryptographer Bruce Schneier was “exploiting the Big Brother is Watching You FUD (Fear, Uncertainty and Doubt) phenomenon in order to sell his books, write quite self-promoting essays, give interviews, do consulting etc. and earn his hefty money.”









Lorenzo Franceschi-Bicchierai/Motherboard:

After suffering a massive hack, the controversial surveillance tech company Hacking Team is scrambling to limit the damage as well as trying to figure out exactly how the attackers hacked their systems.

But the hack hasn’t just ruined the day for Hacking Team’s employees. The company has told all its customers to shut down all operations and suspend all use of the company’s spyware, Motherboard has learned.

“They’re in full on emergency mode,” a source who has inside knowledge of Hacking Team’s operations told Motherboard.

Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, a source said.

A source told Motherboard that the hackers appears to have gotten “everything,” likely more than what the hacker has posted online, perhaps more than one terabyte of data.

It’s unclear how the hackers got their hands on the stash, but judging from the leaked files, they broke into the computers of Hacking Team’s two systems administrators, Christian Pozzi and Mauro Romeo, who had access to all the company’s files, according to the source.

In a series of tweets on Monday morning, which have been since deleted, Pozzi said that Hacking Team was working closely with the police, and warned everyone who was downloading the files and commenting on them.

“Be warned that the torrent file the attackers claim is clean has a virus,” he wrote. “Stop seeding and spreading false info.”

The future of the company, at this point, it’s uncertain.

Employees fear this might be the beginning of the end, according to sources. One current employee, for example, started working on his resume, a source told Motherboard.

It’s also unclear how customers will react to this, but a source said that it’s likely that customers from countries such as the US will pull the plug on their contracts.

Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely.

The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about.

To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.

Hacking Team did not answer to repeated requests for comment, both to its US spokesperson Eric Rabe as well as directly to its office in Milan, Italy.


When asked about the identity of the person or group who carried out the attack, Rabe indicated that he believed the attack was the work of a nation state or a criminal gang, and not the work of an activist as many have speculated:

“Doing our own forensics here, we think this was a very sophisticated attack, and certainly not the work of an amateur. The press seems to take the view that this was some sort of human rights activist but I think that is far from certain and it could easily have been criminal activity or some government activity,” adding that “this is almost certainly an international crime”.

When it was pointed out that if a government or criminal group was behind the attack then posting all the information online seems a strange move, Rabe said: “I am not sure why anybody would do that, but part of the effort here was to disrupt our operations as much as possible so I think that would be a motive for many different people.”

When asked if this could be the work of one of Hacking Team’s competitors such as UK-based Gamma International or Israeli NSO Group, Rabe said: “I think that is unlikely” though he admitted that just like everyone else he was speculating.

While some media reports have suggested the company is working with the Italian police to investigate the attack, Rabe says that all he will say is that the company is “working with law enforcement” reiterating that this was an international attack.









*This post will be continuously updated as there is much more new information emerging. Post anything you find in the comments below and I will add them to the article. LAST UPDATE: 07/13/2015 @ 8PM EST


Related Links:

WikiLeaks SpyFiles on HackingTeam

To Protect and Infect: The Militarization of the Internet – Claudio Guarnieri, Morgan Marquis-Boire, Jacob Appelbaum @ 30c3

Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide

Suspected NSA Super-Malware Rewrites Hard Drive Firmware Making It Impossible to Detect or Remove

In Archive, Equation Group, Hacking, Kaspersky, Malware, NSA, Surveillance on February 20, 2015 at 10:18 PM



Kaspersky/Joseph Menn/Reuters:

Kaspersky Lab released a report Monday revealing highly complex and sophisticated surveillance software created by what they are calling the “Equation Group”. The tools, malware and exploits used by the group—named after its penchant for encryption—have strong similarities with NSA techniques described in top-secret documents leaked by Edward Snowden in 2013.

Kaspersky’s most striking finding is Equation Group’s ability to infect the firmware of a hard drive. One of the group’s malware platforms is able rewrite the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.


Kaspersky uncovered two versions of a mysterious module known only by a cryptic name: “nls_933w.dll”, used for reflashing or reprogramming firmware—one version for the EquationDrug platform the other for GrayFish. The EquationDrug version appears to have been compiled in 2010 while the GrayFish one bears a 2013 timestamp.

The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group’s sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.

While it’s simple for end users to re-flash their hard drives using executable files provided by manufacturers, it’s just about impossible for an outsider to reverse engineer a hard drive, read the existing firmware, and create malicious versions.

“Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, in a phone interview Monday.

“This is an incredibly complicated thing that was achieved by these guys, and they didn’t do it for one kind of hard drive brand,” Raiu said. “It’s very dangerous and bad because once a hard drive gets infected with this malicious payload it’s impossible for anyone, especially an antivirus [provider], to scan inside that hard drive firmware. It’s simply not possible to do that.”

A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

“There is zero chance that someone could rewrite the [hard drive] operating system using public information,” Raiu said.

Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.

It is not clear how the NSA may have obtained the hard drives’ source code. Western Digital spokesman Steve Shattuck said the company “has not provided its source code to government agencies.” The other hard drive makers would not say if they had shared their source code with the NSA.

Seagate spokesman Clive Over said it has “secure measures to prevent tampering or reverse engineering of its firmware and other technologies.” Micron spokesman Daniel Francisco said the company took the security of its products seriously and “we are not aware of any instances of foreign code.”

Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.

According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.

“They don’t admit it, but they do say, ‘We’re going to do an evaluation, we need the source code,'” said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. “It’s usually the NSA doing the evaluation, and it’s a pretty small leap to say they’re going to keep that source code.”

The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.

Peter Swire, one of five members of U.S. President Barack Obama’s Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.

“There can be serious negative effects on other U.S. interests,” Swire said.

Equation Group: NSA-Linked Malware Discovered in the Wild

In Archive, Equation Group, Hacking, Kaspersky, Malware, NSA, Stuxnet, Surveillance on February 20, 2015 at 9:57 PM


Kaspersky/Kim Zetter/WIRED/Dan Goodin/ArsTechnica:

The last two years have been filled with revelations about NSA surveillance activities and the sophisticated spy tools the agency uses to take control of everything from individual systems to entire networks. Now it looks like researchers at Kaspersky Lab may have uncovered some of these NSA tools in the wild on customer machines, providing an extensive new look at the spy agency’s technical capabilities. Among the tools uncovered is a worm that appears to have direct connections to Stuxnet, the digital weapon that was launched repeatedly against centrifuges in Iran beginning in late 2007 in order to sabotage them. In fact, researchers say the newly uncovered worm may have served as a kind of test run for Stuxnet, allowing the attackers to map a way to targeted machines in Iran that were air-gapped from the internet.

Kaspersky have dubbed the attackers the Equation Group because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations, with the researchers considering them “the most advanced threat actor” they’ve seen to date.

The victims of Equation group were observed in more than 30 countries, the largest being Iran, but there is also high-infection rates in countries like Russia, Pakistan, and China. United States and United Kingdom are also listed as targets. Equation group has infected thousands throughout the world, in sectors ranging from government, military, finance, energy, and media, among others.


For nearly a year, Kaspersky have been gradually collecting components of Equation Group’s digital spy platforms that they say have been in use and development since 2001, possibly even as early as 1996, with researchers calling them “one of the most sophisticated cyber attack groups in the world.”

Kaspersky first came upon the Equation Group in March 2014, while researching the Regin malware (believed to have been created by Britain’s GCHQ spy agency) that infected computers belonging to the European Union and Belgian telecom Belgacom, among others. In the process, company researchers analyzed a computer located in the Middle East and dubbed the machine “Magnet of Threats” because, in addition to Regin, it was infected by four other highly advanced pieces of malware, including Turla, Careto/Mask, ItaDuke (See Also MiniDuke), and Animal Farm. A never-before-seen sample of malware on the computer piqued researchers’ interest and turned out to be an EquationDrug module, part of the Equation Group’s suite of surveillance tools.

In all, Kaspersky has tied at least six distinct pieces of malware to Equation Group:



As they pieced together components, they were able to establish a timeline and see that EquationLaser was an early-generation implant the attackers used between 2001 and 2004, while EquationDrug was the next-generation tool that came into use sometime around 2003. It was continuously developed and expanded by the attackers until 2013. Over time, it became a robust and full-blown platform composed of numerous plug-ins or modules that could be remotely slipped on to an infected system at will, once the attackers established a foothold on it.

EquationDrug was supplanted by the even more sophisticated GrayFish. Two versions of GrayFish have been uncovered—the first apparently developed in 2008 and the second in 2012, based on compilation timestamps. EquationDrug stopped being used in mid-2013 right around the time the first leaks from NSA whistleblower Edward Snowden were published. The first evidence of GrayFish 2.0 being used in the wild appeared shortly after those first leaks.


The new platforms, developed in succession with each one surpassing the previous in sophistication, can give the attackers complete and persistent control of infected systems for years, allowing them to siphon data and monitor activities while using complex encryption schemes and other sophisticated methods to avoid detection. The platforms also include an innovative module, the likes of which Kaspersky has never seen before, that re-flashes or reprograms a hard drive’s firmware with malicious code to turn the computer into a slave of the attackers.

NSA Links

Last week, it was reported that the NSA was preparing for a new leak about their cyber intelligence gathering capabilities. According to anonymous U.S. intelligence officials, the new disclosures would not be from Edward Snowden’s cache or another whistleblower,  but instead were uncovered by a non-U.S. cybersecurity firm operating from Mexico, with a report anticipated to be released within days. Though Kaspersky Lab was founded in Russia, it operates in almost 200 countries throughout the world, including Mexico. And three days after officials warned of the upcoming leak, Kaspersky released a report on Equation Group at their 2015 Security Analysts Summit held where? You guessed it, Mexico. Coincidence? I think not.

Although the researchers have no solid evidence that the NSA is behind the tools and decline to make any attribution to that effect, there is circumstantial evidence that points to this conclusion. A keyword—GROK—found in a keylogger component appears in NSA documents leaked by Edward Snowden to The Intercept that describe a keylogger by the same name. There are other connections to an NSA spy tool catalog leaked to other journalists in 2013. The 53-page catalog details—with pictures, diagrams and secret codenames—an array of complex devices and capabilities available to intelligence operatives. The capabilities of several NSA tools identified by the codenames UNITEDRAKE, STRAITBIZZARE, FOXACID, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE. Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions—they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.

Other evidence possibly pointing to the NSA is the fact that five victims in Iran who were infected with Equation Group components were also key victims of Stuxnet, which was reportedly created and launched by the U.S. and Israel.

Some machines infected by Equation Group are the “patients zero” that were used to seed the Stuxnet worm so it would travel downstream and infect Iran’s Natanz facility. “It is quite possible that the Equation Group malware was used to deliver the Stuxnet payload,” Kaspersky wrote in their report.

Kaspersky wouldn’t identify the Iranian victims hit by the Equation tools, but the five key Stuxnet victims have been previously identified as five companies in Iran, all contractors in the business of building and installing industrial control systems for various clients. Stuxnet targeted industrial control systems used to control centrifuges at a uranium-enrichment plant near Natanz, Iran. The companies—Neda Industrial Group, Kala Electric, Behpajooh, CGJ (believed to be Control Gostar Jahed) and Foolad Technic—were infected with Stuxnet in the hope that contractors would carry it into the enrichment plant on an infected USB stick. This link between the Equation Group and Stuxnet raises the possibility that the Equation tools were part of the Stuxnet attack, perhaps to gather intelligence for it.

Methods of Infection

To infect victims, Equation Group used multiple methods—such as the Fanny worm or infected USB sticks and zero-day exploits. They also used web-based exploits to infect visitors to certain web sites. The researchers counted at least seven exploits the attackers used, at least four of which were zero-days at the time.




The newly uncovered worm created by the Equation Group, which the researchers are calling Fanny after the name of one of its files, has an equally intriguing connection to Stuxnet. It uses two of the same zero-day exploits that Stuxnet used, including the infamous .LNK zero-day exploit that helped Stuxnet spread to air-gapped machines at Natanz—machines that aren’t connected to the internet.


The .LNK exploit in Fanny has a dual purpose—it allows attackers to send code to air-gapped machines via an infected USB stick but also lets them surreptitiously collect intelligence about these systems and transmit it back to the attackers. Fanny does this by storing the intelligence in a hidden file on the USB stick; when the stick is then inserted into a machine connected to the internet, the data intelligence gets transferred to the attackers. EquationDrug also makes use of the .LNK exploit. A component called SF loads it onto USB sticks along with a trojan to infect machines.

The other zero-day Fanny uses is an exploit that Stuxnet used to gain escalated privileges on machines in order to install itself seamlessly.

Head of Kaspersky’s Global Research and Analysis Team Costin Raiu said he thinks Fanny was an early experiment to test the viability of using self-replicating code to spread malware to air-gapped machines and was only later added to Stuxnet when the method proved a success.

It could have also been used for a different operation entirely, and its developers simply shared the exploits with the Stuxnet crew. The vast majority of Fanny infections detected so far are in Pakistan. Kaspersky has found no infections in Iran. This suggests Fanny was likely created for a different operation.


Pakistan’s nuclear weapons program, like Iran’s, has long been a U.S. concern. The centrifuge designs used in Iran’s uranium-enrichment plant at Natanz came from Pakistan—a Pakistani scientist helped jumpstart Iran’s nuclear program with them. Information about the NSA’s black budget, leaked by Snowden to the Washington Post in 2013, shows that Pakistan’s nuclear program, and the security of its nuclear weapons, is a huge concern to U.S. intelligence and there is “intense focus” on gaining more information about it. “No other nation draws as much scrutiny across so many categories of national security concern,” the Post wrote in a story about the budget.

Kaspersky found only one version of Fanny. It arrived in their virus collection system in December 2008 but went unnoticed in their archive until last year. Raiu doesn’t konw where the Fanny file came from—possibly another anti-virus firm’s shared collection.


GrayFish works on all the latest Windows operating systems as well as Windows 2000. It’s the most sophisticated platform of the Equation Group suite. Its components all reside in the registry of infected systems, making the malware nearly invisible to detection systems.

GrayFish uses a highly complex multi-stage decryption process to unpack its code, decrypting and executing each stage in strict order, with each stage containing the key to unlock the subsequent one. GrayFish only begins this decryption process, however, if it finds specific information on the targeted machine, which it then uses to generate the first key to launch the decryption. This allows the attackers to tailor the infection to specific machines and not risk having it decrypt on unwanted systems. The magic key that initiates this process is generated by running a unique ID associated with one of the computer’s folders through the SHA-256 algorithm 1,000 times.


The technique makes it impossible for researchers to access the final payload without possessing the raw disk image for each individual infected machine. This closely resembles one used to conceal a potentially potent warhead in Gauss (1) (2), a piece of highly advanced malware that shared strong technical similarities with both Stuxnet and Flame. (Stuxnet, according to The New York Times, was a joint operation between the NSA and Israel, while Flame, according to The Washington Post, was devised by the NSA, the CIA, and the Israeli military.) The final hash becomes the key to unlock the malware and launch the nested decryption scheme.

Gauss had a mysterious payload that has never been unlocked because it can only be decrypted by a key generated by running specific data on the targeted machine through the MD5 algorithm 10,000 times. The scheme, as used in both GrayFish and Gauss, not only serves to prevent the malware from unleashing on non-targeted machines, it also prevents security researchers and victims from unlocking the code without knowing the specific data needed to generate the hash/decryption key.

In addition to the encryption scheme, GrayFish uses a sophisticated bootkit to hijack infected systems. Each time the computer reboots, GrayFish loads malicious code from the boot record to hijack the booting process and give GrayFish complete command over the operating system, essentially making GrayFish the computer’s operating system. If an error occurs during this process, however, the malware will immediately halt and self-destruct, leaving the real Windows operating system to resume control, while GrayFish quietly disappears from the system.


But the most impressive GrayFish component is one that can be used to reflash the firmware of hard drives. More: Suspected NSA Super-Malware Rewrites Hard Drive Firmware Making It Impossible to Detect or Remove


One of the most interesting cases of infection concerned a scientist who was targeted after visiting the U.S.

The scientist had attended an international scientific conference in Houston, Texas sometime around 2009 and received the infection on a conference CD-ROM sent to him after he returned home. The disk contained a slideshow of photos from the gathering. But it also contained three exploits, two of them zero-days, that triggered malware from the Equation Group to load to his machine.


Kaspersky software on the scientist’s machine triggered an alert and sent a sample of the malware to Kaspersky’s archive, but the researchers only discovered it last year when they began investigating the Equation Group’s operations. They were able to identify and contact the victim. Raiu won’t name the scientist or indicate his area of research, but he likened the attack to a recent one that occurred against noted Belgian cryptographer and academic Jean-Jacques Quisquater. Quisquater’s computer had been infected with the Regin spy tool.

The CD from the 2009 Houston conference—which Kaspersky declined to identify, except to say it was related to science—tried to use the autorun.inf mechanism in Windows to install malware dubbed DoubleFantasy. Kaspersky knows that conference organizers did send attendees a disc, and the company knows the identity of at least one conference participant who received a maliciously modified one, but company researchers provided few other details and don’t know precisely how the malicious content wound up on the disc.

“It would be very easy to trace the attack back to the organizers and point them out, and this could in turn result in some very serious diplomatic incidents,” Raiu said. “Our best guess is that the organizers didn’t act in a malicious way against the participants, but [that] some of the CD-ROMs on their way to the participants were intercepted and replaced with the malicious variants.”

Documents leaked by Edward Snowden describe NSA and CIA interdiction efforts that involve intercepting computer hardware as it’s in transit from a factory or seller and then implanting it with spy tools before repackaging it and sending it on to the customer. The same method might have been used in this case. It’s not known if other conference attendees received infected disks.

Even less is known about a CD for installing Oracle 8i-8.1.7 for Windows sent six or seven years earlier, except that it installed an early Equation Group malware program known as EquationLaser.

The conference and Oracle CDs are the only Equation Group interdictions that Kaspersky researchers have discovered.

Web-Based Exploits

A far more common infection vector was Web-based attacks that exploited vulnerabilities in Oracle’s Java software framework or in Internet Explorer. The exploits were hosted on a variety of websites related to everything from reviews of technology products to discussions of Islamic Jihad. In addition to planting exploits on the websites, the attack code was also transmitted through ad networks. The wide range of exploit carriers may explain why so many of the machines Kaspersky observed reporting to its sinkholes were domain controllers, data warehouses, website hosts, and other types of servers. Equation Group, it seems, wasn’t infecting only end user computers—it was also booby-trapping servers known to be accessed by targeted end users.

One of the exploits had been used before in the so-called Aurora attack that struck Google in late 2009. That hack was attributed to China, but the Kaspersky researchers say the Equation Group apparently recycled it to use in their own later attack against government targets in Afghanistan.

Related: “Steal Their Tools, Tradecraft, Targets and Take”: How NSA Uses Other Countries’ Cyber Attacks to Their Advantage

Equation Group exploits are notable for the surgical precision exercised to ensure that only an intended target was infected. One Equation Group-written PHP script that Kaspersky unearthed, for instance, checked if the MD5 hash of a website visitor’s username was either 84b8026b3f5e6dcfb29e82e0b0b0f386 or e6d290a03b70cfa5d4451da444bdea39. The plaintext corresponding to the first hash is “unregistered,” an indication that attackers didn’t want to infect visitors who weren’t logged in. The second hash has yet to be deciphered Update: now been cracked (غير مسجل / “unregistered”); see this brief.

The PHP script also took special care not to infect IP addresses based in Jordan, Turkey, and Egypt. Kaspersky observed users visiting the site who didn’t meet any of these exceptions, yet they still weren’t attacked—an indication that an additional level of filtering spared all but the most sought-after targets who visited the site.

More recently, Kaspersky has observed malicious links on the site standardsandpraiserepurpose[.]com that looked like:


Where the h value (that is, the text following the “h=”) appears to be an SHA1 hash. Kaspersky has yet to crack those hashes, but company researchers suspect they’re being used to serve customized exploits to specific people. The company is recruiting help from fellow white-hat hackers in cracking them. Other hashes include:

  • 0044c9bfeaac9a51e77b921e3295dcd91ce3956a
  • 06cf1af1d018cf4b0b3e6cfffca3fbb8c4cd362e
  • 3ef06b6fac44a2a3cbf4b8a557495f36c72c4aa6
  • 5b1efb3dbf50e0460bc3d2ea74ed2bebf768f4f7
  • 930d7ed2bdce9b513ebecd3a38041b709f5c2990
  • e9537a36a035b08121539fd5d5dcda9fb6336423

The PHP exploit code also serves unique Web pages and HTML code to people visiting with iPhones, behavior that Kaspersky found telling.

“This indicates the exploit server is probably aware of iPhone visitors and can deliver exploits for them as well,” Kaspersky’s report published Monday explained, “Otherwise, the exploitation URL can simply be removed for these.”

The report also said one sinkholed server receives visits from a large pool of China-based machines that identify themselves as Macs in the browser user agent string. While Kaspersky has yet to obtain Equation Group malware that runs on OS X, they believe it exists.


No matter how elite a hacking group may be, Raiu said, mistakes are inevitable. Equation Group made several errors that allowed Kaspersky researchers to glean key insights into an operation that went unreported for at least 14 years.

Following the discovery, Kaspersky researchers combed through their cloud-based Kaspersky Security Network of exploits and infections reported by AV users and looked for similarities and connections. In the following months, the researchers uncovered additional pieces of malware used by Equation Group as well as the domain names used to host command channels.

Perhaps most costly to the attackers was their failure to renew some of the domains used by these servers. Out of the 300 or so domains used, about 20 were allowed to expire. Kaspersky quickly registered the domains and, over the past ten months, has used them to “sinkhole” the command channels, a process in which researchers monitor incoming connections from Equation Group-infected machines.

One of the most severe renewal failures involved a channel that controlled computers infected by “EquationLaser,” an early malware platform abandoned around 2003 when antivirus programs began to detect it. The underlying domain name remained active for years until one day, it didn’t; Kaspersky acquired it and EquationLaser-infected machines still report to it.

“It’s really surprising to see there are victims around the world infected with this malware from 12 years ago,” Raiu said. He continues to see about a dozen infected machines that report from countries that include Russia, Iran, China, and India.

Raiu said 90 percent or more of the command and control servers were closed last year, although some remained active as recently as last month.

The sinkholes have allowed Kaspersky researchers to gather key clues about the operation, including the number of infected computers reporting to the seized command domains, the countries in which these compromised computers are likely located, and the types of operating systems they run.

Other key mistakes were variable names, developer account names, and similar artifacts left in various pieces of Equation Group malware. In the same way cat burglars wear gloves to conceal their fingerprints, attackers take great care to scrub such artifacts out of their code before releasing it. But in at least 13 cases, they failed. Possibly the most telling artifact is the string “-standalonegrok_2.1.1.1” that accompanies a highly advanced keylogger tied to Equation Group.

Another potentially damaging artifact found by Kaspersky is the Windows directory path of “c:\users\rmgree5” belonging to one of the developer accounts that compiled Equation Group malware. Assuming the rmgree5 wasn’t a randomly generated account name, it may be possible to link it to a developer’s real-world identity if the handle has been used for other accounts or if it corresponds to a developer’s real-world name such as “Richard Gree” or “Robert Greenberg.”

Kaspersky researchers still don’t know what to make of the 11 remaining artifacts, but they hope fellow researchers can connect the strings to other known actors or incidents. The remaining artifacts are:

  • prkMtx – unique mutex used by the Equation Group’s exploitation library (gPrivLibh)
  • “SF” – as in “SFInstall”, “SFConfig”
  • “UR”, “URInstall” – “Performing UR-specific post-install…”
  • “implant” – from “Timeout waiting for the “canInstallNow” event from the implant-specific EXE!”
  • STEALTHFIGHTER (VTT/82055898/STEALTHFIGHTER/2008-10-16/14:59:06.229-04:00
  • DRINKPARSLEY – (Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00)
  • STRAITACID – (VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00)
  • LUTEUSOBSTOS – (VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00)
  • DESERTWINTER – c:\desert~2\desert~3\objfre_w2K_x86\i386\DesertWinterDriver.pdb


Although the Equation Group findings are significant, they still represent only a very small subset of nation-state malware out in the wild from not only the U.S. but other actors as well. And given that the samples Kaspersky found are at least a year old, they may not be state-of-the-art any more.

“The thing that scares me the most is that we don’t have any samples from the Equation Group from 2014,” Raiu says, suggesting the group’s capabilities may have already been surpassed by even more sophisticated wares.

Carbanak Malware Hits 100 Banks in 30 Countries for Up to $1 Billion

In Archive, Carbanak, Economy, Hacking, Kaspersky, Malware on February 16, 2015 at 1:15 PM



In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.

But when a Russian cybersecurity firm, Kaspersky Lab, was called to Ukraine to investigate, it discovered that the errant machine was the least of the bank’s problems.

The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.


In a report to be published on Monday, Kaspersky Lab says that the scope of this attack on more than 100 banks and other financial institutions in 30 nations could make it one of the largest bank thefts ever — and one conducted without the usual signs of robbery.

The Moscow-based firm says that because of nondisclosure agreements with the banks that were hit, it cannot name them. Officials at the White House and the F.B.I. have been briefed on the findings, but say that it will take time to confirm them and assess the losses.

Kaspersky Lab says it has seen evidence of $300 million in theft through clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.

The majority of the targets were in Russia, but many were in Japan, the United States and Europe.


No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information.

But the industry consortium that alerts banks to malicious activity, the Financial Services Information Sharing and Analysis Center, said in a statement that “our members are aware of this activity. We have disseminated intelligence on this attack to the members,” and that “some briefings were also provided by law enforcement entities.”


The American Bankers Association declined to comment, and an executive there, Douglas Johnson, said the group would let the financial services center’s statement serve as the only comment. Investigators at Interpol said their digital crimes specialists in Singapore were coordinating an investigation with law enforcement in affected countries. In the Netherlands, the Dutch High Tech Crime Unit, a division of the Dutch National Police that investigates some of the world’s most advanced financial cybercrime, has also been briefed.

The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing.

The managing director of the Kaspersky North America office in Boston, Chris Doggett, argued that the “Carbanak cybergang,” named for the malware it deployed, represents an increase in the sophistication of cyberattacks on financial firms.

“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” Mr. Doggett said.

The evidence suggests this was not a nation state, but a specialized group of cybercriminals.




What Goes Around Comes Around: NSA Cyberattacks Helping Other Countries (Iran) Learn to Hack Better

In Archive, Flame, GCHQ, Hacking, Iran, ISNU, Israel, Malware, NSA, NSA Files, Stuxnet, Surveillance on February 16, 2015 at 12:37 AM


Glenn Greenwald/TheIntercept:

The U.S. Government often warns of increasingly sophisticated cyberattacks from adversaries, but it may have actually contributed to those capabilities in the case of Iran.

A top secret National Security Agency document from April 2013 reveals that the U.S. intelligence community is worried that the West’s campaign of aggressive and sophisticated cyberattacks enabled Iran to improve its own capabilities by studying and then replicating those tactics.


The NSA is specifically concerned that Iran’s cyberweapons will become increasingly potent and sophisticated by virtue of learning from the attacks that have been launched against that country. “Iran’s destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary,” the NSA document states. “Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.”

The document was provided to The Intercept by NSA whistleblower Edward Snowden, and was prepared in connection with a planned meeting with Government Communications Headquarters, the British surveillance agency. The document references joint surveillance successes such as “support to policymakers during the multiple rounds of P5 plus 1 negotiations,” referring to the ongoing talks between the five permanent members of the U.N. Security Council, Germany and Iran to forge an agreement over Iran’s nuclear program.

The document suggests that Iran has become a much more formidable cyberforce by learning from the viruses injected into its systems—attacks which have been linked back to the United States and Israel.

In June 2012, The New York Times reported that from “his first months in office, President Obama secretly ordered sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.” As part of that plan, the U.S. and Israel jointly unleashed the Stuxnet virus on Iranian nuclear facilities, but a programming error “allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.” Israel also deployed a second virus, called Flame, against Iran.

Related: Obama Orders US to Draw Up Overseas Target List for Cyberattacks

Obama ordered cyberattacks despite his awareness that they would likely unleash a wholly new form of warfare between states, similar to the “first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade,” according to the Times report. Obama “repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons—even under the most careful and limited circumstances—could enable other countries, terrorists or hackers to justify their own attacks.”

The NSA’s concern of inadvertently aiding Iran’s cyberattack capabilities is striking given the government’s recent warning about the ability of adversaries to develop more advanced viruses. A top official at the Pentagon’s Defense Advanced Research Projects Agency’s (DARPA) appeared on 60 Minutes this Sunday and claimed that cyberattacks against the U.S. military are becoming more potent. “The sophistication of the attacks is increasing,” warned Dan Kaufman, director of DARPA’s Information Innovation Office.

The NSA document suggests that offensive cyberattacks on other states do not merely provoke counterattacks—those attacks can teach adversaries how to launch their own. “Iran continues to conduct distributed denial-of-service (DDOS) attacks against numerous U.S. financial institutions, and is currently in the third phase of a series of such attacks that began in August 2012,” the document says. “SIGINT indicates that these attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior officials in the Iranian government are aware of these attacks.”

This would not be the first time the U.S. has inadvertently assisted Iran’s attack capabilities. Last month, former CIA officer Jeffrey Sterling was convicted of multiple felony counts for telling New York Times reporter James Risen about an agency program designed to feed Iran false data about nuclear engineering in order to create setbacks, but which instead may have provided useful information the Iranians were able to exploit to advance their nuclear research.

As of 2013, the NSA said that while it had no indications “that Iran plans to conduct such an attack against a U.S. or UK target, we cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime.”

The NSA “can’t comment or speculate on the motivations of those who aim to harm the United States or our allies,” a spokesperson for the agency said. “The National Security Agency works with foreign partners to protect our interests and citizens in cyberspace.”

Kim Zetter/WIRED (1) (2):

In addition to attacks against Iran’s nuclear sector, however, the document also states that Iran learned from a different attack that struck its oil industry. The report says Iran then replicated the techniques of that attack in a subsequent attack called Shamoon that targeted Saudi Arabia’s oil conglomerate, Saudi Aramco.

“Iran’s destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary,” the NSA document states. “Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.”

How Wiper Inspired Copycat Attacks

The latter statement in the document is referring to the so-called Wiper attack, an aggressive and destructive piece of malware that targeted machines belonging to the Iranian Oil Ministry and the National Iranian Oil Company in April 2012. Wiper didn’t steal data—instead it destroyed it, first wiping content on the machines before systematically erasing system files, causing the systems to crash, and preventing them from rebooting. Wiper was “designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time,” according to researchers at Kaspersky Lab who examined the mirror images of hard drives in Iran that were destroyed by Wiper.

Wiper was the first known data destruction attack of its kind. Although the NSA document doesn’t credit the US and its allies for launching the attack, Kaspersky researchers found that it shared some circumstantial hallmarks of the Duqu and Stuxnet attacks, suggesting that Wiper might have been created and unleashed on Iran by the US or Israel.

Many believe it served as inspiration for Shamoon, a subsequent destructive attack that struck computers belonging to Saudi Aramco in August 2012. The document claims Iran was behind Shamoon. The Shamoon malware wiped data from about 30,000 machines before overwriting the Master Boot Record, preventing machines from rebooting. The attack was designed to replace erased data with an image of a burning US American flag, though the malware contained a bug that prevented the flag image from completely unfurling on machines. Instead, only a fragment of the flag appeared. Researchers said at the time that Shamoon was a copycat attack that mimicked Wiper.

Wiper is also believed to have inspired a destructive attack that struck computers belonging to banks and media companies in South Korea in March 2013. That attack wiped the hard drives and Master Boot Record of at least three banks and two media companies simultaneously and reportedly put some ATMs out of operation, preventing South Koreans from withdrawing cash from them. The report does not suggest that Iran was behind this attack.

Wiper is also widely believed to have been inspiration for the recent hack of Sony Pictures Entertainment. Again, in the latter attack, the hackers wiped data from Sony systems and overwrote parts of the Master Boot Record, preventing systems from rebooting.

The US has long blamed the Saudi Aramco attack on Iran, but has blamed the South Korea and Sony hacks on North Korea. Although the NSA document published today cites the Saudi Aramco attack as “the first such attack the NSA has observed from this adversary,” researchers have disputed the attribution in this and the hacks against South Korea and Sony. A group calling itself the Cutting Sword of Justice took credit for the Saudi Aramco attack, and researchers from Kaspersky Lab noted that due to the attack’s unsophisticated design, the errors contained in it, and statements from the apparent hackers, they believe it more likely came from hacktivists rather than nation-state developers in Iran. Other researchers have found the attribution of the Sony and South Korea attacks circumstantial and flimsy.

Regardless of whether Iran is behind the Shamoon attack, there’s no question that it and other nations learn from cyberattacks launched by the US and its allies. Common cybercriminals also study Stuxnet and the like to learn new techniques for evading detection and stealing data.

Of course, a similar attack did strike the US. But instead of hitting the US oil industry or a similarly critical sector, it struck a Hollywood film studio. And instead of coming from Iran, it came this time (according to the White House and FBI) from North Korea. All of which suggests that when the US and Israeli strike their enemies, it isn’t just that single adversary who learns from the attack.

There are two other points in the document that merit attention.

One concerns the spy tool known as Flame; the other refers to concerns the NSA had about partnering with the British spy agency Government Communications Headquarters and Israeli intelligence in surveillance operations.

Did GCHQ Partner With the NSA on Flame?

In the document, prepared in April 2013 for a meeting between the NSA director and GCHQ, the author cites the Flame attack against Iran as an example of a US/GCHQ partnership. Flame was a massive spy platform exposed by Kaspersky Lab and Symantec in 2012. Flame targeted more than 10,000 machines in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa and was active for at least six years before it was discovered. It used some of the same code that Stuxnet used, leading researchers to conclude that it had been created by the same US/Israel teams that had created Stuxnet. The Washington Post reported in 2012 that the US and Israel were both behind Flame, quoting anonymous US officials. But the new Snowden document hints that GCHQ might have been involved in Flame with the US.

Although the document doesn’t say overtly that GCHQ partnered with the US in creating and unleashing Flame, it hints obliquely at cooperation. The document notes that the NSA has “successfully worked multiple high-priority surges with GCHQ” and cites Flame as an example. But, oddly, it doesn’t say they worked together on creating Flame. Instead, it simply cites Iran’s discovery of Flame in a list of projects on which the GCHQ and the US collaborated.

These jointly worked events include “the storming of the British Embassy in Tehran; Iran’s discovery of computer network exploitation tools on their networks in 2012 and 2013; and support to policymakers during the multiple rounds of P5 plus 1 negotiation on Iran’s nuclear program,” the document reads. The reference to an embassy attack presumably refers to the 2011 attack on the British embassy by protestors in Iran. The reference to the P5 plus 1 relates to negotiations between Iran and Western powers over Iran’s nuclear program. The network attacks are identified by name as the Flame attacks in another part of the document.

It’s unclear what else this might refer to if not the two countries partnering in the creation and unleashing of Flame. Other documents leaked by Edward Snowden have spelled out in more detail how the NSA and GCHQ have partnered over the years in other spy operations, ranging from sharing data siphoned from undersea cables to the hacking of telecom networks, like Belgium’s Belgacom, to monitor mobile traffic. The new document suggests that the two countries might also have partnered on Flame in some way, though it’s unclear to what extent. If this is correct, and the previous Post is correct as well, it would mean the three nations teamed up to spy on Iran, presumably over its nuclear program.

NSA Expresses Concern About Partnering with GCHQ and Israel

Although there are numerous examples released in the Snowden documents of NSA-GCHQ cooperation as well as NSA-Israeli cooperation, the 2013 document published today expresses concern about a trilateral agreement between the three nations.

It appears in a section discussing a collaboration between the NSA, GCHQ and ISNU—a reference to the Israeli SIGINT National Unit, the Israeli counterpart to the NSA. Under the heading “Potential Landmines,” the document notes that GCHQ has long pushed to work with the NSA and ISNU “in a trilateral arrangement to prosecute the Iranian target.” And it notes that the NSA and GCHQ have agreed to share information gleaned from their separate partnerships with Israeli intelligence. But with regard to a trilateral partnership, the NSA had reservations. The document notes that the “SID policy has been opposed to such a blanket arrangement.”

SID refers to the Signals Intelligence Directorate. Under the SID Management Directive 422 (PDF), the intelligence community is prohibited from delegating a mission to a non-USSS element—that is, a non-US SIGINT System—without first obtaining a memo of understanding between the NSA and the non-US entity. NSA activities are government by a number of directives, most important among them is USSID 18, which governs what the US can and cannot collect on US persons and how it must handle information collected incidentally on them. Including a foreign spy agency in data collection raises issues about oversight and legality if it involves data pertaining to U.S. persons. This may be in part why the NSA was concerned.

As noted, the NSA has partnered separately with both the GCHQ and Israeli on intelligence collection. Previously released Snowden documents discussed how the NSA shared raw intelligence with Israel.

And according to the new document, the US, UK and Israeli spy agencies engaged in discussions in 2013 about a possible three-way partnership in tackling issues with Iran. “In January 2013, during an NSA-ISNU analytic workshop on Iranian Leadership, the first ever trilateral VTC on an Iranian issue was held with NSA, CCHQ and ISNU particiants,” it notes.

But the US was apparently hesitant about expanding the surveillance agreement outside of the issue of Iran. “The trilateral relationship is limited to the topic and will serve as a proof of concept of this kind of engagement,” the document notes. But “this specific trilateral should not be interpreted as a broad change of approach.” In other words, in areas not to do with Iran, the NSA and CCHQ have agreed to continue to share information gleaned from their respective bilateral relationships with the ISNU, but apparently are reluctant to make Israel a part of their exclusive club on a regular basis.

Related: Israel/Saudi Arabia Discuss Production of Malware Worse Than Stuxnet to Spy On/Destroy Iran’s Nuclear Program

%d bloggers like this: