Crossroads Blog | CYBER SECURITY LAW AND POLICY

Attribution, Cyber Espionage, Cyber Exploitation, Kaspersky, malware

NSA or Not, Equation Group is Recognized as the “Most Advanced” Threat Actor in Cyberspace

Another report has been released identifying widespread spyware breaches. This most recent report released by Kaspersky Lab, a cyberthreat firm, named the “Equation Group” the most advanced “threat actor” out of over 60 advanced attackers investigated by the firm over the past several years, reports Defense One. According to the report, the Equation Group has been active for “possibly” 20 years, and is thought to be affiliated with the NSA, although the Kaspersky report did not outright make that claim.

Kaspersky Equation Group Report Cover

Is Equation Group the NSA?

Kaspersky’s report implied that the Equation Group is associated with, or may even be the same group responsible for the Stuxnet virus. According to the report, a computer worm created by the group in 2008, known as Fanny, used two zero-day exploits also used by Stuxnet, and was spread throughout the Middle East and Asia. The report explained that the two exploits were used in Fanny even before the they were used in Stuxnet. Fanny and Stuxnet both used the LNK exploit to spread,  the report continued. Further, both Fanny and Stuxnet utilized a vulnerability in Microsoft’s software which was later patched by the Microsoft bulletin MS09-025, according to the report. Kaspersky asserted that this indicated that the Equation group had access to the exploits before the Stuxnet group did. Additionally, the delivery mechanism believed to be utilized by both Stuxnet and Fanny were USB sticks used to gain access to air-gapped networks, such as the Iranian network infected by Stuxnet. The similarities in the use of these exploits, and within the same timeframe, indicates that the group responsible for Fanny and Stuxnet are either working together or are the same, the report concluded.

Who does Equation Group Target?

Stuxnet is believed to be the product of a joint venture between the NSA and the Israelis, leading to the belief that the Equation Group is actually the NSA or at least closely affiliated with it. Defense One reported that the group’s operations seem to target the “appropriate” people, “enemies foreign.” This indicates that the group operates under predetermined parameters, using usernames and network addresses to pick out specific targets, the article added. Targets resided in about 30 countries including Iran, Russia, Syria, and Afghanistan, according to the article. The article also reported that in addition to thousands of individuals, the group has infected entities within governments, telecommunications, and energy sectors, among others. This method of using existing vulnerabilities is “much less disruptive” than inserting vulnerabilities “that leave everyone insecure,” Bruce Schneier explained on the Lawfare Blog. Just as Stuxnet specifically targeted the Iranian network controlling its nuclear centrifuges, the Equation Group also conducts its activities carefully and precisely, targeting specific actors worldwide.

How does the release of this report affect current operations?

Experts claim this exposure may prove problematic for intelligence-gathering operations against Islamic extremists, Defense One added. However, according to the article, experts also admitted that the revelation will not likely end intelligence gathering operations. Further, even though its operations have been publicized, the group may still continue using the same methods because those breached may not have the capability to “detect, remediate, and mitigate” the risk posed by the group, the article reported. Furthermore, it is unknown how long it would take to develop the capability to do just that, adds the article. The NSA released a statement refusing to comment directly on the assertions made in Kaspersky’s report, however, it was admitted that allegations such as this always pose a risk to the nation’s security, reports Defense One.

Kaspersky’s full report can be found here.

Leave a Reply