Jump to content

Equation Group

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Jesse Viviano (talk | contribs) at 23:02, 18 February 2015 (→‎Summary: Are we sure that Kaspersky could not identify the culprits, or is it trying to avoid an international incident by intentionally failing to accuse the NSA?). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri[1] and unnamed former intelligence operatives[2] of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, who also documented 500 malware infections by the group's tools in at least 42 countries.[3][4]

Summary

At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least 2001, with more than 60 actors.[5] The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming hard disk drive firmware.[6] Because of the advanced techniques involved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not identified the actors behind the group.

IRATEMONK and Equation Group

The NSA's listing of its Tailored Access Operations program named IRATEMONK from the NSA ANT catalog.

F-Secure claims that the Equation Group's malicious hard drive firmware is the Tailored Access Operations program IRATEMONK that is listed in the NSA ANT catalog.[7] IRATEMONK is capable of infecting Seagate, Maxtor, Western Digital, and Samsung hard drives as of the time the NSA ANT catalog was leaked.[8] It substitutes the master boot record with a malicious master boot record and gains persistence due to being planted into the hard drive's firmware.[8]

The text of IRATEMONK's listing is below:[8]

IRATEMONK

(TS//SI//REL) IRATEMONK provides software application persistence on desktop and laptop computers by implanting in the hard drive firmware to gain execution through Master Boot Record (MBR) substitution.

(TS//SI//REL) This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives. The supported file systems are: FAT, NTFS, EXT3 and UFS.

(TS//SI//REL) Through remote access or interdiction, UNITEDRAKE, or STRAITBAZZARE are used with SLICKERVICAR to upload the hard drive firmware onto the target machine to implant IRATEMONK and its payload (the implant installer).l Once implanted, IRATEMONK's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on.

Status: Released / Deployed. Ready for Immediate Delivery

Unit Cost: $0

See also

References

  1. ^ "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes. {{cite news}}: Italic or bold markup not allowed in: |publisher= (help)
  2. ^ "Russian researchers expose breakthrough U.S. spying program". Reuters.
  3. ^ "How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last". Ars Technica.
  4. ^ Jeremy Kirk (17 February 2015). "Destroying your hard drive is the only way to stop this super-advanced malware". PCWorld.
  5. ^ "Equation Group: The Crown Creator of Cyber-Espionage". Kaspersky Lab.
  6. ^ "Equation: The Death Star of Malware Galaxy". Kaspersky Lab.
  7. ^ https://www.f-secure.com/weblog/archives/00002791.html
  8. ^ a b c https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html

External links

Wikimedia Commons has media related to Equation Group.
Stub icon

This computer security article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Equation_Group&oldid=647779461"