Solve for “X”: Equation Group Hackers Leave More Questions Than Answers


Stuxnet and Flame are two of the most well-known malware operations in the world, but according to a new report from security company Kaspersky Lab, both may owe their existence to an ever more secretive organization: The Equation Group. As noted by a recent Ars Technica article, these hackers have been flying under the radar for the past 14 years and had a hand in the development of nearly every piece of high-profile malware ever developed. And while their activities are finally coming to light, these new discoveries leave more questions than answers.

Familiar Parentage

Citizens of the United States aren’t exactly enamored with the National Security Agency (NSA), especially after the recent Snowden revelations. And while the Kaspersky Lab report stops short of calling out NSA brass as those in charge of the Equation Group, they found “detailed evidence” that implicated the spy agency. For example, there’s a highly-advanced keylogger among Equation Group tools called “Grok” in the source code; Snowden-leaked documents also refer to a Grok keylogger developed by the NSA. What’s more, NSA malware called “STRAITBIZZARE” bears a strong resemblance to platforms named “STRAITACID” and “STRAITSHOOTER” in Equation Group documents. Add in the fact that Snowden said STRAITBIZZAR could be turned into a “disposable shooter” and the connections seem like more than mere coincidence.

So what has the Group been doing all these years, and how did they finally get caught? More importantly, what kind of risk do they pose?

A Long History

In 2002 or 2003, the Group intercepted an Oracle Database installation CD in transit, infected it with a malicious payload and then had it delivered. In 2009, they did the same thing to a group of high-profile scientists — the researchers had recently attended a conference in Houston and received a CD containing pictures and lecture materials. It also contained malware designed to keep track of their activities. All told, Kaspersky Lab reports that the Equation Group has perpetrated at least 500 infections across 42 countries including Iran, Russian, India and the United States. What’s more, they’ve developed some of the most potent malware on the planet.

It all started with Equation Laser in 2001, then Equation Drug and DoubleFantasy between 2004 and 2008. Next came Fanny, GrayFish and Grok Keylogger; more recently the Group released GrayFish 2.0 and Triple Fantasy. Each type of malware had a specific function and target in mind — Fanny, for example, was meant to compromise “air gapped” machines; those that were not connected to the Internet or other devices. By designing malware that could be hidden and transported on a USB stick, it was possible for the Equation Group to infect computers anywhere, anytime. Simply put, no other malware group could keep up. Costin Raiu of Kaspersky Lab says the “Equation Group are the ones with the coolest toys.”

Getting Caught?

Most hackers and malware creators slip up eventually. A recent RT article talks about the FBI grabbing two of their most-wanted cyber criminals in Pakistan earlier this month. The two had been arrested in 2012 but disappeared after extradition efforts failed; just three year later and they’re back in custody. The Equation Group is much more sophisticated, but apparently they’re not immune to mistakes. Their biggest slip-up was to let several server domains expire, domains which were quickly picked up by security researchers. This allowed them to discover a host of malware types and start to get some sense of the Group’s scope of work. But unlike the FBI’s most-wanted, there are no names and no faces attached to the Equation Group. In fact, a recent Mashable article warns that if your personal devices somehow get infected by Group malware, the only way to be safe is by destroying them outright; no antivirus scan can combat these threats.

Scared Straight

So what’s the risk level for everyday users? Low-to-medium. Equation Group malware is used to carry out targeted attacks on corporations and countries of interest; personal data isn’t of much use. But it’s worth noting that the Group won’t hesitate to use personal devices as middlemen to reach high-priority targets. This makes it a good idea to protect your browsing and computing habits with a secure connection and VPN — no sense giving the Group a reason to poke around in your digital life.

They may be partially uncovered but they’re not caught, so this equation is far from solved.

Featured image: iampixels / Dollar Photo Club