If Kaspersky Lab is right about the Equation Group, this sophisticated threat actor has developed the most highly advanced malware to date.
Last year was hugely significant for cyber security, thanks to Sony’s security breach that may or may not have been tied to North Korea. Believe it or not, that was an isolated event that most people don’t need to worry about – but the security group Kaspersky Lab may have found a far more concerning threat. In a report released Monday, Kaspersky presented evidence that a highly sophisticated unit actor called “The Equation Group” has been exploiting computer networks as far back as 1996. If true, the Equation group has been targeting countries like Iran and Russia with remarkably advanced malware platforms – many of which are seemingly impossible to remove without physically destroying the hard drive.
“The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication,” the report reads. “The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.”
Kaspersky Lab has called this actor Equation for “their love of encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations”. The only reason Kaspersky was able to connect these malware platforms was through specific use of the RC5 encryption algorithm in their malware, although more recent modules use RC6, RC4, and AES as well. Unlike malware that just spreads across the globe, Equation’s malware has a far more limited scope with very specific targets. In fact, the malware even has a “self-destruct mechanism” that wipes out the infection when instructed – which also prevents Kaspersky from knowing the full scope of Equation’s past operations.
But let’s say you’re a key institution in one of these countries and want to get rid of Equation’s malware. Good luck with that – the malware’s most striking feature is that it infects the hard drive’s firmware, making it impossible to remove even once the drive is formatted. “Theoretically, we were aware of this possibility,” director of Kaspersky Lab Costin Raiu explained, “but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability.”
Perhaps the strangest part is that Equation goes well beyond web-based exploits – it can intercept and replace physical media that will be installed on computers. In one case, participants of a scientific conference in Houston were mailed a CD-ROM of the conference proceedings. All copies of this disc itself were compromised, seemingly without the knowledge of conference organizers, and delivered malware to the participants computers.
The group has targeted key institutions in multiple countries, the most frequent being Iran, Russia, Pakistan, Afghanistan, India, China, Syria, and Mali. Meanwhile, countries like the United States, Great Britain, and France have been targeted with lower infection rates. Breached institutions tend to include government and diplomatic bodies, telecommunications, military, aerospace, energy, transportation, cryptographic research, and even Islamic scholars and activists.
Equation’s malware bears some resemblance to the Regin malware discovered in 2012, but Kaspersky doesn’t believe them to be connected. Some computers contained instances of both Regin and Equation’s malware, leaving them to believe they were developed by two different groups. The full report contains more details, but it certainly makes a strong case that – for once – the Equation group might be the supervillain wizards Hollywood keeps assuming hackers are.