Kaspersky said that there are solid links indicating that the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators. The Equation group had access to zero-days before they were used by Stuxnet and Flame, and at some point they shared exploits with others.
For example, in 2008, Fanny used two zero-days which were introduced into Stuxnet in June 2009 and March 2010. One of those zero-days in Stuxnet was actually a Flame module that exploits the same vulnerability and which was taken straight from the Flame platform and built into Stuxnet.
Kaspersky Lab observed seven exploits used by the Equation group in their malware. At least four of these were used as zero-days. In addition to this, the use of unknown exploits was observed, possibly zero-day, against Firefox 17, as used in the Tor browser.
During the infection stage, the group has the ability to use ten exploits in a chain. However Kaspersky Lab's experts observed that no more than three are used: if the first one is not successful, they try with another one, and then with the third one. If all three exploits fail, they don't infect the system.
Kaspersky Lab products have detected a number of attempts to attack its users. However, many of these attacks were unsuccessful due to the Automatic Exploit Prevention technology, which detects and blocks exploitation of unknown vulnerabilities. The Fanny worm, presumably compiled in July 2008, was first detected and blacklisted by Kaspersky's automatic systems in December 2008.
Sign up for CIO Asia eNewsletters.