Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Equation cyberspies use unrivaled, NSA-style techniques to hit Iran, Russia

Jeremy Kirk | Feb. 18, 2015
A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia.

Given the high value of this exploitation technique, Equation very selectively deployed it.

"During our research, we've only identified a few victims who were targeted by this," Kaspersky's report said. "This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances."

Another of Kaspersky's intriguing findings is Fanny, a computer worm created in 2008 that was used against targets in the Middle East and Asia.

To infect computers, Fanny used two zero-day exploits — the term for a software attack that uses an unknown software vulnerability — that were also coded into Stuxnet, Kaspersky said. Stuxnet, also a Windows worm, was used to sabotage Iran's uranium enrichment operations. It is thought to be a joint project between the U.S. and Israel.

It's unlikely the use of the same zero-days was a coincidence. Kaspersky wrote that the similar use of the vulnerabilities means that the Equation group and the Stuxnet developers are "either the same or working closely together."

"They are definitely connected," Raiu said.

Both Stuxnet and Fanny were designed to penetrate "air-gapped" networks, or those isolated from the Internet, Kaspersky said.

The Equation group also used "interdiction" techniques similar to those used by the NSA in order to deliver malicious software to targets.

Kaspersky described how some participants of a scientific conference held in Houston later received a CD-ROM of materials. The CD contained two zero-day exploits and a rarely-seen malware doorstop nicknamed "Doublefantasy."

It is unknown how the CDs were tampered with or replaced. "We do not believe the conference organizers did this on purpose," Kaspersky said. But such a combination of exploits and malware "don't end up on a CD by accident," it said.

The NSA's Office of Tailored Access Operations (TAO) specializes in intercepting deliveries of new computer equipment, one of the most successful methods of tapping into computers, wrote Der Spiegel in December 2013, citing a top secret document.

The German publication was one of several that had access to tens of thousands of spy agency documents leaked by former NSA contractor Edward Snowden.

Kaspersky uncovered the trail of the Equation group after investigating a computer belonging to a research institute in the Middle East that appeared to be the Typhoid Mary for advanced malware.

Raiu said the machine had French, Russian and Spanish APT (advanced persistent threat) samples on it among others, showing it had been targeted by many groups. It also had a strange malicious driver, Raiu said, which upon investigation lead to the extensive command-and-control infrastructure used by Equation.

Kaspersky analysts found more than 300 domains connected with Equation, with the oldest one registered in 1996. Some of the domain name registrations were due to expire, so Kaspersky registered around 20 of them, Raiu said.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.