As cyber-attacks become progressively more sophisticated and frequent, security researchers have revealed the group behind the most dangerous and complex of malware exploits – the so-called Equation Group, which is linked to the NSA.

The Kaspersky Lab’s Global Research and Analysis Team (GreAT) has, for several years, been tightly monitoring over 60 advanced threat actors which are responsible for global cyber-attacks. GreAt, which provides leadership in anti-threat intelligence, research and innovation, has seen how attacks are becoming increasingly more complex and sophisticated.

According to the Kaspersky Lab team, the group, which outshines every other hacker and cyber-attack in terms of complexity, has been in operation for almost 20 years and goes by the name the Equation Group.

GreAT researchers (1) state that the Equation Group uses tools which are extremely complicated and expensive to develop, which retrieve data and infect victims, while remaining anonymous in an “outstandingly professional way”.

GreAT has uncovered that the group uses a powerful bank of Trojans – known as implants. The most powerful of the implants is, according to GreAT, the first known malware capable of infecting hard drives.

By infecting hard-drive firmware, the Equation Group leaves security experts unable to trust the computer as they cannot detect whether or not the hard drive has become compromised. “Once the hard drive gets infected with this malicious payload, it’s impossible to scan its firmware,” Igor Soumenkov, Kaspersky Lab’s lead security researcher said (2).

“To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” Soumenkov added.









Links to the NSA

What is perhaps most shocking is the fact the Equation Group has been linked to the NSA and the US government.

Talking to Forbes (3), Claudio Guarnieri, one of the principle security experts involved with monitoring NSA malware in the wake of the Edward Snowden scandal, said the Equation attacks were “100 per cent” the work of the NSA (4).

GROK is a piece of malware which logs keystrokes as part of a kit to hack devices and steal data and the Equation Group was using it. GROK, according to GreAT is a component of UNITEDRAKE, which has been associated with a sophisticated malware that is believed to be the work of Western intelligence bodies (5).

According to Intercept, GROK was described by Snowden as the tool the NSA was using to hack computers and collect data. Other malware codenames identified by Kaspersky Lab were STRAIGHTACID and STRAITSHOOTER, which are, according to Intercept, “strikingly similar to known NSA hacking operations.”

The Russian security firm Kaspersky claimed that amongst the malware targets were a number of unnamed governments. Besides a series of government systems’ becoming infected, other Equation targets have been energy and aerospace companies, telecoms, as well as Islamic scholars and media networks.