Massive, Decades-Long Cyberespionage Framework Uncovered

CANCUN–Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations.

CANCUN–Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations. The attackers, known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods, including interdicting physical media such as CDs and inserting their custom malware implants onto the discs.

Some of the techniques the group has used are closely associated with tactics employed by the NSA, specifically the interdiction operations and the use of the LNK vulnerability exploit by Stuxnet.

The Equation Group has a massive, flexible and intimidating arsenal at its disposal. Along with using several zero days in its operations, the attack crew also employs two discrete modules that enable them to reprogram the hard drive firmware on infected machines. This gives the attackers the ability to stay persistent on compromised computers indefinitely and create a hidden storage partition on the hard drive that is used to store stolen data. At the Security Analyst Summit here Monday, researchers at Kaspersky presented on the Equation Group’s operations while publishing a new report that lays out the inner workings of the crew’s tools, tactics and target list. The victims include government agencies, energy companies, research institutions, embassies, telecoms, universities, media organizations and others. Countries targeted by this group include Russia, Syria, Iran, Pakistan, China, Yemen, Afghanistan, India but also US and UK, between and several others.

Beginning in 2001, and possibly as early as 1996, the Equation Group began conducting highly targeted and complex exploitation and espionage operations against victims in countries around the world. The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.

“We consider this to be the next level of threats,” Costin Raiu, director of the Global Research and Analysis Team at Kaspersky, said in a presentation.

Kaspersky researchers say that the connection between the Stuxnet and Flame group and the Equation Group are concrete and deep.

“There are solid links indicating that the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators–generally from a position of superiority. The Equation group had access to zero-days before they were used by Stuxnet and Flame, and at some point they shared exploits with others,” the Kaspersky report says.

Once a PC is compromised, the attackers install the EQUATIONDRUG attack platform, which is the main component from which further operations run. The platform includes a variety of modules and has an analog in another platform called GRAYFISH, which is an updated version of the attack framework.

“By default, a core set of modules is installed into the target’s computer together with EQUATIONDRUG, giving attackers full control over the operating system. In cases when the basic features of the malware are not enough, EquationDrug supports adding new plugins to extend its functionality. We found more than 30 different plugins for EquationDrug,” the report says.

“EquationDrug’s core modules, designed for deep hooking into the OS, do not contain a trusted digital signature and cannot run directly on modern operating systems. The code also contains a check whether the OS version is not newer than Windows XP/2003. Some of the plugins were originally designed for use on Windows 95/98/ME. If the target uses a modern operating system like Windows 7, the attackers use the TripleFantasy or GrayFish platforms.”

GRAYFISH is the most highly evolved version of its attack infrastructure. The attackers began using this platform about seven years ago and have been improving it as they go.

“GrayFish includes a highly sophisticated bootkit, which is more complex than any other we’ve ever seen before. This provides an indication of the highest class of developers behind its creation,” the Kaspersky researchers said.

“When the computer starts, GrayFish hijacks the OS loading mechanisms by injecting its code into the boot record. This allows it to control the launching of Windows at each stage. In fact, after infection, the computer is not run by itself more: it is GrayFish that runs it step by step, making the necessary changes on the fly.”

The trump card for the Equation Group attackers is their ability to inject an infected machine’s hard drive firmware. This module, known only by a cryptic name – “nls_933w.dll”, essentially allows the attackers to reprogram the HDD or SSD firmware with a custom payload of their own creation.

“Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group’s attack technologies that surpasses anything else we have ever seen before. This is the ability to infect the hard drive firmware,” the report says.

“We were able to recover two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms. The EQUATIONDRUG HDD firmware reprogramming module has version 3.0 while the GRAYFISH reprogramming module has version 4.0.1. These were compiled in 2010 and 2013, respectively, if we are to trust the PE timestamps.”

The worm that’s included with the Equation Group’s toolkit is codenamed Fanny and provides a direct link to the Stuxnet group. The worm uses two of the zero days that later were used by Stuxnet, including the LNK file exploit. The Fanny worm spreads from infected machines via USB sticks, using the LNK file zero day, and its main purpose appears to be to reconnoiter and map air-gapped machines, PCs that aren’t connected to the Internet or a network.

“First, when an USB stick is infected, Fanny creates a hidden storage area on the stick. If it infects a computer without an internet connection, it will collect basic system information and save it into the hidden area of the stick. Later, which a stick containing hidden information is plugged into a computer infected by Fanny having an Internet connection, the data will be scooped from the hidden area and sent to the C&C. If the attackers want to run commands on the air-gapped networks, they can save these commands in the hidden area of the USB stick. When the stick is plugged into the air- gapped computer, Fanny will recognize the commands and execute them. This effectively allowed the Equation group to run commands inside air-gapped networks through the use of infected USB sticks, as well as map the network infrastructure of such networks,” the report says.

The Equation Group has been seen using at least seven vulnerabilities in various applications, four of which were zero days when the group began using them. One of the exploits the group used was for a vulnerability in Internet Explorer that had been used first by the Google Aurora attackers in 2009.

“The EQUATION group captured their exploit and repurposed it to target government users in Afghanistan,” the report says.

As sophisticated and comprehensive as this group’s toolset is, perhaps the most interesting tactic they employ is interdicting CDs bound for specific targets and inserting their malware. In one case, the attackers sent attendees of a scientific conference a CD that contained the proceedings from the meeting. Not all of the participants received the malware-infected discs.

“The CD-ROM uses ‘autorun.inf’ to execute an installer that will first attempt to escalate privileges using two known EQUATION group exploits. Next, it attempts to run the group’s DOUBLEFANTASY implant and install it into the victim’s machine. The exact method by which these CDs were interdicted is unknown. However, we do not believe the conference organizers did this on purpose, considering the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, doesn’t end up on a CD by accident,” the report says.

Another incident included an installation CD for Oracle software that included a Trojan dropper for the Equation Group’s malware. This is a tactic that, through the Edward Snowden documents, has been attributed to operations conducted in the past by the National Security Agency.

Kaspersky researchers have sinkholed several of the C&C domains used by the Equation Group attackers and have so far counted more than 500 victims, but the total over the lifetime of the campaign is likely far higher. The C&C infrastructure includes hundreds of domains in a number of countries, including the United States, the UK, Italy and Germany.

Nearly all of the C&C domains and servers were shut down by the attackers last year, but some were still active as late as last month. But Raiu said that there are no samples of the Equation Group’s tools from 2014.

“The scariest thing about them is that we don’t have any samples from 2014. So somewhere in 2013 these guys went off the radar,” he said. “We have no idea what they did in 2014, which is very, very scary.”

Suggested articles