Throwback attack: The Equation Group, ‘God of cyberespionage’

Courtesy: CFE Media and Technology

President Biden recently spoke out about cybersecurity concerns, demonstrating that the world is on high alert for impending threats. It has been a national priority to strengthen cybersecurity for the past year, especially due to the high profile cyberattacks the U.S. has already faced – such as Colonial Pipeline, Kaseya and JBS – and the Russian incursion into Ukraine. However, the U.S. is no stranger to threats coming from within its own borders. One of the most sophisticated cyberattack groups in the world, the Equation group, was founded in the U.S.

In 2015, Kaspersky Lab announced they had discovered a major cyber threat called the Equation Group that was comprised of over 60 threat actors. Their malware was found to reprogram hard disk firmware, and they were able to hide under the radar and steal private information for more than a decade. With further investigation, experts found that the group’s reach extended worldwide.

Who is the Equation Group?

Once the Equation Group was discovered, the next question became: Who could be behind this advanced persistent threat (APT) group? Because of the complexity of the Equation Group’s attacks and the kinds of signatures they used, many people speculated that they might have stemmed from the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

According to a WIRED article: “Although the researchers have no solid evidence that the NSA is behind the tools and decline to make any attribution to that effect, there is circumstantial evidence that points to this conclusion. A keyword – GROK – found in a keylogger component appears in NSA documents leaked by Edward Snowden to The Intercept that describe a keylogger by that name.” Also, the fact that the Equation Group attacks were similar to the Stuxnet attacks suggests that this group could have stemmed from the NSA.

The Equation Group earned its name because of its love for encryption algorithms and its use of a specific implementation of the RC5 encryption algorithm throughout its malware. It also received the nickname “God of Cyberespionage” due to how long it was able to stay invisible and how many organizations it victimized. The group has been engaged in multiple computer network exploitation operations since 2001 and has been traced to as early as 1996. The actors behind the group have not been formally identified.

Equation Group malware

There are several malware platforms the Equation Group uses exclusively, such as EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, GrayFish and Fanny. These platforms have been developed in succession, with each one surpassing the previous in sophistication. They give attackers complete control of infected systems for years, allowing them to take data and monitor activities while using complex encryption schemes and other methods to avoid detection.

EquationLaser is an early implant from the Equation Group that was used from approximately 2001 to 2004. It is compatible with Windows 95/98. The group used this platform as a basis to upgrade into the EquationDrug platform.

EquationDrug is a complex attack platform that supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers. The platform was developed between 2003 and 2013 and was eventually replaced by GrayFish. With EquationDrug, attackers begin by infecting targets with DoubleFantasy, a validator-style plugin that also keeps a backdoor into a potential target’s computer and saves an internal version number in its configuration block. It takes this information along with legitimate hosts used to validate the internet connection, such as and C&Cs. Then, if the victim is confirmed as the target, the EquationDrug installer is delivered.

TripleFantasy is a full-featured backdoor that can be partnered with GrayFish. It is an upgrade of DoubleFantasy and is a more recent validator-style plugin.

The most modern and sophisticated malware implant from the Equation Group is GrayFish. By design, it provides a hidden persistence mechanism, hidden storage and malicious command execution inside the Windows operating system. It contains a highly advanced bootkit. The high level of complexity, which had not been seen before, indicates that the people who created it were not just talented but the best in this field. GrayFish was developed between 2008 and 2013 and is compatible with all modern versions of Microsoft’s operating systems.

Once a computer starts, GrayFish hijacks the OS loading mechanisms by injecting its code into the boot record, which allows it to control the Windows launch at each stage. After the computer is infected, GrayFish controls each step, making necessary changes as it goes. Once Windows is opened, GrayFish launches four to five stages of decryption to achieve code execution within the Windows environment. The stages will only continue if there is successful execution of all levels. The entire GrayFish platform will self-destruct if any error occurs during launch.

Fanny is a computer worm that was created in 2008 and distributed throughout the Middle East and Asia to gather information. It used two zero-day exploits, which were later uncovered during the discovery of Stuxnet. Fanny used the Stuxnet LNK exploit and USB sticks for dispersal, as well as a vulnerability patched by the Microsoft bulletin MS09-025. In 2009, this vulnerability was also exploited in one of the early versions of Stuxnet, which means that the Equation Group had access to these zero-days before the Stuxnet group. Due to the similarities in the Stuxnet and Equation Group attacks, experts believe there to be a connection, to the point where they could be the same group or groups working closely together.

Who has fallen victim?

According to an ARS Technica article, Kaspersky researchers have documented 500 infections in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali topping the list. However, due to the self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total. The real number of victims likely extends into the tens of thousands. Numerous infections have been observed on servers, such as domain controllers, data warehouses, website hosting and other types. Once systems are infected, the group can monitor computers and gain any information held within them.

The Equation Group targeted multiple industries and institutions, such as governments and diplomatic institutions, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, mass media, transportation, financial institutions and companies developing cryptographic technologies.

Living on

In August 2016, the hacking group Shadow Brokers announced that they had stolen malware code from the Equation Group. Experts confirmed that the announcement of the Equation Group breach was legitimate. The stolen samples they released dated back to 2013 and contained exploits against Cisco adaptive security appliances, Fortinet’s firewalls and Juniper’s NetScreen firewalls.

Everyone learned lessons from the Equation Group, whether it was the Equation Group itself learning from the mistakes that ultimately led to their discovery, such as failing to scrub variable names and other “fingerprints,” or the rest of the world learning how to defend themselves against new threats.

With how complex and organized the Equation Group was, it is unlikely that this is the last time the world will see their exploits. The main takeaway is to continually upgrade cybersecurity to help prevent cyberattacks and limit the damage threat actors can achieve.




Keep your finger on the pulse of top industry news