Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Singapore falls victim to the Equation Group, crown creator of cyber-espionage

Zafirah Salim | Feb. 18, 2015
Equation Group is a powerful threat actor that has been active for almost two decades, with an absolute dominance in terms of cyber-tools and techniques.

Singapore is one of more than 30 countries worldwide to fall victim to the Equation Group, crown creator of cyber-espionage.

The group has waged cyber-attacks against government and military agencies, mass media, telecommunication firms and financial institutions, among others; and its victims include other Asian countries such as Malaysia, Philippines and India.

According to a media statement by Kaspersky Lab, Equation Group is a powerful threat actor that has been active for almost two decades, with an absolute dominance in terms of cyber-tools and techniques.

Its researchers said that this group is unique in almost every aspect of their activities - they use tools that are very complicated and expensive to develop in order to infect victims, retrieve data and hide activity in an outstandingly professional way, and utilise classic spying techniques to deliver malicious payloads to the victims.

Malware distribution

In the group's malware platforms, they have modules which allow reprogramming of the hard drive firmware. This is the first known malware capable of infecting the hard drives; and this malicious code is extremely persistent as it can survive virus scans and even disk formatting.

"For most hard drives, there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware," said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.

To date, the group has been responsible for the distribution of several Trojans, including EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish - and this list is not exhaustive.

The Fanny worm stands out from all the attacks performed by the Equation group. Its main purpose was to map air-gapped networks, in other words - to understand the topology of a network that cannot be reached, and to execute commands to those isolated systems. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.

Besides these, the group also deployed classic spying methods to deliver malware. The attackers used universal methods to infect targets: not only through the web, but also in the physical world. For that, they used an interdiction technique - intercepting physical goods and replacing them with Trojanised versions.

One such example involved targeting participants at a scientific conference in Houston. Some of the participants received a copy of the conference materials on a CD-ROM which was then used to install the group's DoubleFantasy implant into the target's machine.

Infamous friends: Stuxnet and Flame  

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.