Kaspersky Lab researchers recently uncovered what they describe as “a threat actor that surpasses anything known in terms of complexity and sophisitication of techniques and that has been active for almost two decades.”
The researchers say the attacker, which they’re calling the Equation Group, is unique in almost every way — the tools the group leverages are very complicated and expensive to develop, and are designed to retrieve data and hide activity in an “outstandingly professional” manner.
The Equation Group, which has been in operation at least since 2001, uses a vast command and control infrastructure that includes more than 300 domains and more than 100 servers in countries including the U.S., the U.K., Italy, Germany, the Netherlands, Panama, Costa Rica, Malaysia, Colombia and the Czech Republic.
Two modules uncovered by the researchers enable reprogramming of the hard drive firmware for more than a dozen leading hard drive brands, providing the Equation Group with a unique level of persistence that can survive disk formatting and OS reinstallation.
“Another dangerous thing is that once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware,” Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, said in a statement. “To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.”
The modules are also able to create an invisible, persistent area hidden in the hard drive, which is used to save stolen information that can later be retrieved by the attackers. “Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu said.
“The Equation Group sometimes selects its victims with surgical precision,” Kaspersky explained in a FAQ [PDF]. “When precision is not possible, the victims are targeted by validator (DoubleFantasy) implant and subsequently disinfected if they do not appear to be ‘interesting’ to the attackers.”
One of the attacks in the Equation Group’s arsenal stands out — the Fanny worm, which was first detected in 2008. “Its main purpose was to map air-gapped networks, in other words, to understand the topology of a network that cannot be reached, and to execute commands to those isolated systems,” the researchers explain. “For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.”
In order to do so, an infected USB stick with a hidden storage area collects basic system information from a computer not connected to the Internet, then sends that information to the command and control server when the USB stick is connected to a computer with an Internet connection.
The attackers can then send commands to the hidden area of the USB stick, which are executed when the USB stick is plugged into the target air-gapped computer.
The Equation Group appears to have interacted with the groups behind Stuxnet and Flame, and had access to zero day exploits before they were used by Stuxnet and Flame. “For example, in 2008 Fanny used two zero-days which were introduced into Stuxnet in June 2009 and March 2010,” the researchers note. “One of those zero-days in Stuxnet was actually a Flame module that exploits the same vulnerability and which was taken straight from the Flame platform and built into Stuxnet.”
Ken Jones, vice president of engineering and product management at IronKey by Imation, told eSecurity Planet by email that the best protection against the Equation Group’s attacks is to use code signing for firmware updates. “If the signed firmware is modified, the device cannot authenticate the firmware and simply will not operate,” he said. “This prevents the infection from spreading but will result in an unusable device.”
“For businesses concerned about having spyware on their computers, one option is to immediately switch to hardware-encrypted FIPS 140-2 Level 3 certified Windows To Go flash drives as a hard drive replacement,” Jones added. “Windows to Go uses the flash drive as the system disk, completely insulating the user from the risk of any hard drive infections on the onboard hard drive. This is significantly less cost than replacing the internal hard drive with FIPS-approved hard drives and can be easily done in the field without needing to pull apart the computer.”