With operations predating at least 2001, Equation group is one of the most persistent and arguably, the most sophisticated threat groups in operation. Equation Group was discovered during Russian cyber-security firm, Kaspersky’s investigation into the Regin threat group. Kaspersky attributes Equation Group to the United States National Security Agency; however, definitive evidence of attribution remains absent. Equation group’s name derives from their employment of encryption and obfuscation strategies throughout their operations. The RC5 encryption algorithm is deployed throughout the malware and additional encryption algorithms RC6, RC4, and AES are added in other modules. Some of the attribution of the group to the United States comes from similarities between the malware platform and exploits to Stuxnet and the Gauss malware.

Equation Group has globally targeted more than 500 victims in over 30 countries including Iran, Russia, Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, United States, Sudan, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, Philippines, United Kingdom, India and Brazil. Targets are affiliated with government institutions, diplomatic organizations, the telecommunication sector, aerospace firms, energy companies, nuclear research facilities, oil and gas companies, military systems, nanotechnology research facilities, Islamic activists and scholars, mass media outlets, the transportation sector, financial institutions, and companies developing cryptographic technologies. It is possible that even more infections remain undiscovered. Kaspersky estimates that Equation Group attacked 2000 targets per month in 2008; although, the estimate seems generous. Equation Group’s known C&C infrastructure spans more than 300 domains on over 100 servers.

The Equation Group compromises systems by using zero-day exploits, by infecting physical media (USB stick, CDs, etc.), through web-based exploits, through the self-replicating Fanny worm, and through robust customized malware platforms. The zero day exploits targeted Microsoft Windows, Internet Explorer, Java, the Firefox 17 browser, and the TOR browser. Attacks incorporating infected physical media utilize interdiction, a technique where an attacker intercepts shipped goods, such as software, and replaces it with a version containing malware or backdoors, before sending it to the buyer. Equation Group has been known to exploit vulnerabilities in Java on popular websites to facilitate the delivery of one of its validator-style Trojans, DOUBLEFANTASY and TRIPLEFANTASY. The Fanny worm was created around 2008 and it was used to gather information from targets in the Middle East and Asia. According to Kaspersky, 59.36% of Fanny infections were in Pakistan, 15.99% of Fanny infections were in Indonesia, 14.17% of Fanny infections were in Vietnam, and 4.05% of Fanny infections were in China. Networks are typically infected with the Fanny worm via infected physical media. Fanny resembles Stuxnet in operation, but it may actually predate Stuxnet and tie the Equation Group to the Stuxnet Group. Some variations of Fanny feature the Stuxnet LNK exploit and other exploits that were deployed in Stuxnet, and the Flame malware; however, it appears that the exploits were used in the Fanny worm prior to their inclusion in Stuxnet or Flame. Considering that Stuxnet and Flame were so effective because they employed zero-day exploits that were unknown to the public, there is merit to the theory that Stuxnet was created by or in collusion with the developer of the Fanny worm. Fanny is used to map air-gapped networks. USB devices (and other writable media) that are plugged into infected systems, are corrupted to store Fanny in a self-hidden partition. When the device is plugged into an air-gapped system, say for updates, basic system information or data is stored in the hidden partition. The information is exfiltrated to a C&C server the next time the device is plugged into a system with an internet connection. EQUATION Group can also store commands on the device while it is connected to the internet. Fanny will execute the commands the next time the device is connected to the air-gapped system. This process allows the group to map the network infrastructure and it allows the group to compromise air-gapped systems, which tend to contain more sensitive information. These systems are often less defended because their administrators equate their isolation to security.

The Equation Group developed unique malware and malware platforms. Typically, a zero-day exploit or a web exploit was used for the initial compromise of the target system. Next, a validator-style Trojan, dubbed DOUBLEFANTASY scans the infected system and uses input criteria to determine if the host is the intended system or if the characteristics of the system indicate that its data would be interesting to the attacker. DOUBLEFANTASY acts as a backdoor into the target system. If the target matches the criteria, then a malware platform, EQUATIONLASER, EQUATIONDRUG, or GRAYFISH is delivered and installed on the system. For example, in one campaign, Equation Group exploited a vulnerability in the PHP script used in an online Islamic Jihadist discussion forum. However, only systems belonging to users who were logged into accounts and whose traffic originated from a specific IP address range corresponding to Jordan, Turkey, and Egypt, were infected with malware installers. More recently, DOUBLEFANTASY has been upgraded into a more robust backdoor, called TRIPLEFANTASY.

The EQUATIONLASER platform was used from 2001 – 2003 to infect Windows 95 and Windows 98 systems. The EQUATIONDRUG platform replaced EQUATIONLASER in 2003, and was used until at least 2013. EQUATIONDRUG supports modular plugins, which can be dynamically uploaded and unloaded by remote attackers. EQUATIONDRUG installs with a cadre of modules that give full control of the operating system to the attacker. Further, it supports the addition of new plugins to increase its functionality. So far, at least 35 different plugins and 18 drivers have been discovered. EQUATIONDRUG was designed to compromise Windows 95, Windows 98, and Windows ME. Since the malware does not have a trusted digital signature, it may not be able to run on a modern operating system. Legacy systems, prevalent in the public sector, are still at risk. Information gathered by EQUATIONDRUG tools is stored in fake fonts folders under the Windows/ Font file directory. If EQUATIONDRUG does not receive commands from an adversarial C&C server after a specified time, usually a month or two, then it deletes itself from the system.

Sometime between 2008 and 2012, EQUATIONDRUG appears to have been phased out in favor of the GRAYFISH malware platform. GRAYFISH is the most sophisticated Equation Group malware platform discovered. Upon delivery of the installer via TRIPLEFANTASY, a GRAYFISH bootkit is injected into the registry of the operating system. When a computer first powers on, the operating system code executes (booting up) and it enables the majority of the functionality of the system. When an infected system is powered on, GRAYFISH injects code into the boot record so that it can control every stage of the Windows launch process. GRAYFISH, its virtual file system, its stolen information, and its functional modules are stored in the registry of the system. Because everything is stored in the registry and GRAYFISH and its modules are dynamically decrypted and executed by the bootkit, there are no malicious executables contained in the user’s filesystem. This means that the user cannot detect the GRAYFISH malware on the system; at least not with traditional anti-malware tools. During the bootup process, GRAYFISH processes through 4-5 layers of decryption where each layer triggers the execution of the next layer of decryption. If all of the layers successfully decrypt, then GRAYFISH executes its code and the malware silently runs on the machine. If even one layer fails to decrypt during launch, then GRAYFISH proceeds to delete itself from the system. This technique confounds analysis and makes GRAYFISH infection difficult to discover because the malware might delete itself the moment the user detects anomalous behavior and begins diagnostic procedures.

On reason that Equation Group is considered far more sophisticated than any other advanced persistent threat actor is the capability of modules contained in the EQUATIONDRUG and GRAYFISH platforms to reprogram hard-drive firmware. This allows for unprecedented persistence. Security firm F-Secure notes that this rarely seen module might be Tailored Access Operations IRATEMONK program which affects hard-drives produced by Seagate, Maxtor, Western Digital, Samsung, IBM, Micron, and Toshiba.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google