An incredibly sophisticated cyber espionage operation, likely originating in the U.S., has been discovered by the security researchers at Russia’s Kaspersky Lab.
Dubbed the Equation Group, this “threat actor” has been using spyware and malware tools to infect computers of governments, telecoms, military, nuclear research, energy and other companies in more than 30 countries. Kaspersky did not say who’s behind Equation, but its findings, presented during a security conference in Cancun, Mexico on Monday, indicate the group’s malware is closely tied to Stuxnet, a virus developed by the U.S. and Israel, used to infect Iran’s nuclear plants (it ended up infecting Russia’s plant as well).
The Equation’s level of sophistication and the scale of its operation makes Stuxnet seem like child play, according to Kaspersky’s report.
Equation has been active perhaps as early as 1996, but it boosted its operations in 2008, developing several incredibly powerful cyberweapons. Kaspersky named these tools Equationdrug, Doublefantasy, Triplefantasy, Grayfish, Fanny and Equationlaser. Together, this malware suite was able to infect Windows computers, USB sticks and even hard drive firmware, letting Equation steal data from targeted computers and stay undetected for years.
Perhaps the most interesting tools mentioned in the report are modules that are used together with the Equationdrug and Grayfish malware platforms, enabling Equation to reprogram the firmware of hard drives built by all major manufacturers, including Maxtor, Seagate, Western Digital and Samsung. Once a hard drive was infected, even formatting it and reinstalling an OS would not be sufficient to get rid of the malware.
Kaspersky observed victims of the Equation group in more than 30 countries, including Iran, Russia, Syria, Afghanistan, Hong Kong, Mexico, United States, France, Switzerland, United Kingdom and India. Interestingly, there are indications that Equation specifically avoided infecting computers in Jordan, Turkey and Egypt.
All in all, Kaspersky counted more than 500 infections globally, many on important, server-type machines. However, infections have a self-destruct mechanism, meaning there may have been many more, which are now undetectable.
Kaspersky’s report offers more details about Equation’s actions, targets and the tools the group used. The most important takeaway is that there’s an organization out there (and it’s probably not alone) with immense knowledge and resources that can precisely and invisibly target and steal data from nearly any computer — even the best guarded, including those belonging to government or military.
Kaspersky’s findings have been announced after the company publicized its discovery one of the largest banking cyber-heists ever, with hackers stealing as much as $1 billion from banks all over the world. Read more…