Cyber Espionage Alert: Business Risk?Game-Changing 'Equation' Malware Triggers Warnings
A team of hackers has been operating since at least 2001, and for years wielding malware that even today is among the most advanced attack code to have ever been discovered, according to a new study. In particular, the group has built a "malware implant" - a.k.a. Trojan - that can be used to re-flash the firmware of more than 12 types of hard disk drives to then deliver malware that is almost impossible to detect.
The new study, released by Moscow-based Kaspersky Lab, delves into the activities of a group that it's dubbed "Equation," based on its "preference for sophisticated encryption schemes." While Kaspersky Lab has declined to attribute the Equation attacks it has seen, which may date from 1996, some security watchers say it could be the U.S. National Security Agency. But others say the details published to date don't definitively prove that the NSA is involved, and note that multiple nations could be wielding similar capabilities.
In response, NSA spokeswoman Vanee Vines tells Information Security Media Group: "We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details."
Vines adds that NSA abides by 2014 statements made by President Obama about U.S. signals intelligence - the official term for the NSA's data monitoring, interception and interpretation practices - as well as the Presidential Policy Directive 28. "The U.S. government calls on our intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats - including terrorist plots from al-Qaeda, ISIL [ISIS], and others; the proliferation of weapons of mass destruction; foreign aggression against ourselves and our allies; and international criminal organizations," Vines says.
The Kaspersky report details four significant findings pertaining to the Equation group:
- Hard drive firmware: Equation reportedly has the ability to re-flash hard drives from more than 12 manufacturers. The new firmware included the ability to download persistent malware or monitoring tools that could not be detected by anti-virus software.
- Bootkit: The Equation report suggests that the group's "GrayFish" Trojan includes a highly sophisticated boot kit that appears to have been designed to evade anti-virus detection.
- Air gaps: The main purpose of the group's "Fanny" worm - using two zero-day vulnerabilities later employed in Stuxnet - "appears to have been the mapping of air-gapped networks," using a USB command-and-control mechanism.
- Interdiction: Sometimes, the group appears to have intercepted CD-ROMs en route and then installed Trojanized versions of software on them, before the delivery process was resumed. This technique is known as "interdiction."
Many information security experts have described these capabilities as game-changing. "Some of this we consider very sophisticated today, and it appears to have been done more than a decade ago," says Alan Woodward, a visiting professor at the department of computing at England's University of Surrey, and a cybercrime advisor to Europol.
Some systems, in fact, may now have been compromised for that length of time, for example via the capability to re-flash hard drive firmware, thus giving attackers perpetual control and access over the drive. "Even if a hard drive was wiped, the virus is still in it. Unless you knew what you were looking for, you would never see it," says Tom Chapman, director of the Cyber Operations Group at security firm EdgeWave.
Five Eyes Residents: Safe?
One immediate question is what businesses can - or should - be doing in light of the Equation report.
"Businesses located within the 'Five Eyes' don't need to worry today, they aren't targets - Kaspersky's research shows this," says Sean Sullivan, security adviser at anti-virus firm F-Secure in Finland, referring to the Five Eyes surveillance alliance, which comprises Australia, Canada, New Zealand, the United Kingdom and the United States.
The report says that the "Fanny" worm, for example, was mostly used to target IP addresses based in Pakistan, followed by Indonesia, Vietnam, China and Bangladesh. Other frequently targeted countries included Iran, Russia, Afghanistan, India, China and Syria.
"The targeting appears to be toward terrorism, as a primary use," Chapman says. "The fact that so many Pakistani sinkholes were uncovered may indicate that targets were there. Add that to the use on air-gapped networks, which are used by terrorist networks, and that may have been the primary purpose. However, the uses are limitless."
But Equation attacks are likely reserved for people or organizations that provoke an intelligence agency's interest, many security experts conclude. "Most businesses and people will not be direct targets of these type of attacks. If you are, it will be extremely difficult to defend against these attacks given the array of systems and subsystems that could be compromised," says Dublin-based information security consultant Brian Honan, who heads Ireland's computer emergency response team. "Instead, companies need to focus on proactively monitoring their systems and networks for any strange behavior and develop the capabilities to properly and fully investigate any anomalies that could indicate a compromise."
Chapman says that when monitoring for anomalies, there's no substitute for having an experienced information security analyst on staff who knows what "normal" looks like. "Using Sony as an example, there is no way the attacker would have exfiltrated 100 TBs of data if someone was reviewing logs and had an understanding of network traffic," he says, referring to the Sony Pictures Entertainment breach. "The Equation exploit was discovered by Kaspersky watching odd traffic on a computer believed to be infected by a different exploit. Only by people looking do we find the exploits," he says.
Many Experts Suspect NSA
Sullivan at F-Secure contends that there's little doubt about who built Equation. "Based on previous reporting from the [Edward] Snowden [leaked] docs, it would be shocking if it isn't the NSA," he says.
Sullivan, in a blog post, also cites a December 2013 report from German weekly newsmagazine Der Spiegel, based on leaked information, which details an internal catalog of technology allegedly available to the NSA's Tailored Access Operations. That catalog lists technology called IRATEMONK, which "provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) substitution," the catalog reads.
In response to the news about IRATEMONK, network security expert Nicholas Weaver at the International Computer Science Institute in Berkeley, Calif., wrote at the time that if IRATEMONK was ever detected "now you have guaranteed 'NSA WAS HERE' writ in big glowing letters."
Other Suspects Too
But other intelligence agencies may already be wielding similar capabilities. "While I believe the U.S. has the capability to create this type of exploit, Russia, Israel and France are very advanced," EdgeWave's Chapman says. "China has the resources as well. When assessing who would be responsible for the creation, I tend to look at targets and motive."
In fact, some information security experts noted that the NSA might not be the intelligence agency that's behind Equation. "Technically, I think it's a very good analysis," Woodward of Kaspersky's report. But he questions the report's suggestions of overlap between Equation and the advanced Stuxnet malware, which may have crippled centrifuges Iran uses to produce enriched uranium, and which used two zero-day vulnerabilities that had already been used in the Fanny worm; as well as suggested programming similarities between the Equation malware and the Regin malware, discovered last year, which appears to have been developed to conduct espionage. "When you look at the detailed technical reasons for that [suggested overlap], it's not what I would call 'wholly conclusive.'"
"That doesn't mean it's not them," he adds, referring to the NSA. "I don't know one way or the other, but it's not a smoking gun."
At Risk: Everything
One takeaway from the report, however, is that many countries could be using Equation-like capabilities to hack what they've defined as high-value targets. "I believe it would be naÃ¯ve in the extreme to think that other intelligence agencies have not the same level of capabilities, if not more, than the one allegedly behind this attack," says Honan, who's also a cybersecurity adviser to Europol. "When you underestimate your adversary, that is when you may find - to your cost - their true capabilities."
The Kaspersky report also makes clear that with enough time, money and planning, almost anything can be hacked. "In an age where we rely on components, sub-components, and software from various vendors and sources, a determined attacker with the right capabilities has a number of channels it can exploit," Honan says.
That's why even small players could be behind big breaches. "You don't have to be a superpower," Woodward says. "You put 30 guys in a room with some kit, and you can come up with some pretty interesting results."