Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded

Security experts say The Equation Group surpasses every other threat actor known in complexity and sophistication.
Written by Charlie Osborne, Contributing Writer
Kaspersky Labs

CANCUN, MEXICO: Kaspersky Labs has discovered the "ancestor" of Stuxnet and Flame, a threat actor which surpasses everything else in complexity and technique sophistication.

On Monday at the Kaspersky Labs Security Analyst Summit, the firm unveiled research concerning the existence of a cyberattack team dubbed The Equation Group. The group, which Kaspersky Lab Global Research and Analysis Team (GReAT) members dub the "ancestor" of Stuxnet and Flame operators, has been in operation dating back to 2001 and possibly as early as 1996.

The Equation Group uses multiple malware platforms, some of which go far beyond threats such as Regin in complexity and sophistication.

"The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen," the company says.

After tracking over 60 threat actors responsible for cyberattacks across the globe, GReAT says that The Equation Group, active over two decades, goes beyond anything else the security team has tracked and witnessed.

According to Kaspersky Lab researchers, the group is unique in a number of ways: they use tools which are extremely complicated and expensive to develop; are very professional in the ways they infect victims, steal data and hide their activities, and they also use "classic" spying techniques to deliver malicious payloads to victims.

In order to infect victims, the group uses a variety of trojans and tools. Within The Equation Group's toolkit, you will also find at least two Stuxnet variants, Zero days and exploits which strike both Windows and Mac machines and browsers.

Kaspersky detected seven exploits in total used by The Equation group in their malware, and at least four were Zero days. In addition, there are a number of unknown exploits which are used in a chain to ensure success in infecting a machine.

Speaking at the conference, Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab said he assumes the group also has iPhone exploits, "but we have no confirmation so far."

The company have named specialist tools used by the group EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish, but the list is far from complete. However, each tool is sophisticated and professionally used.


"These guys don't make mistakes. If they do, they do very, very rarely." Raiu said.

Two particular tools stand out from the crowd. Fanny -- named due to fanny.bmp file found on compromised systems -- is a computer worm created in 2008 which targets victims in the Middle East and Asia.

The worm, which infects USB hard drives, has been found "on thousands of USBs, and are still there," according to Raiu. The purpose of Fanny appears to be the mapping of air-gapped networks. In order to do so, the malware uses a "unique" USB-based command and control mechanism -- carving out a hidden storage space on the USB to store stolen data and carry out commands.

If Fanny infects a computer which is not connected to the Web, it will collect system information and save it in the hidden area. When the computer eventually connects to the Internet, the malware leaps into action and sends this data to a command and control (C&C) center.


If the cyberattacker wants to run commands on the air-gapped networks, these commands can be saved in the secret storage space and execute them.

The second prominent tool used by The Equation Group is a plugin, nls_933w.dll, which Kaspersky Lab security expert Vitaly Kamluk described as the "ultimate cyberattack tool, unique and super advanced." This plugin has the power to interact with a hard drive -- both traditional and SSD -- on a lower level.

Not only interact with -- but rewrite.

The infection, which Kamluk described as a "great headache even to detect," is able to reprogram a hard drive's firmware. By performing a rewrite, the group not only achieves an extreme level of persistence and the ability to survive disk reformatting, but the malware can also create a hidden storage area which is nigh-on impossible to detect.

The team has spotted 12 vendors so far which are vulnerable, including Seagate, Western Digital and Samsung.

Sadly, if you suspect you are infected, the team suggests you should "destroy the hard drive," according to Kamluk. Why? Not only can the malware survive a full operating system reinstall, but your stolen data -- potentially hidden within a secret storage space -- will always be at risk and may end up being sent to the group's C&C center.

The security team believes The Equation group is the "ancestor" of other threat actors such as Stuxnet and Flame, as the group has access to Zero days before they were used by Stuxnet and Flame. At some point, The Equation group shared these exploits with others. For example, in 2008 Fanny used two Zero days which were introduced into Stuxnet in June 2009 and March 2010.

Raiu said:

"It's important to point out that these two exploits were used in Fanny before they were integrated into Stuxnet, indicating the Equation group had access to these zero-days before the Stuxnet group. Actually, the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation group and the Stuxnet developers are either the same or working closely together."

Using a C&C center, The Equation group comprises of over 300 domains and more than 100 servers hosted in countries including the US, UK, Panama and Colombia.

Since 2001, the Equation group has infected thousands -- or perhaps tens of thousands -- with their arsenal of bootkits and malware, according to Kaspersky. No-one is safe either: the team say that targets from a vast range of sectors including government, military, telecommunications, energy, nanotechnology and media have become victims.

Raiu estimates that up to 2,000 victims a month are being targeted. While this number in itself does not seem like a big deal, when you consider who is being targeted and the variety of tools at their disposal, the security expert says "it's getting pretty scary."

Disclaimer: Kaspersky Labs sponsored the trip to the Security Analyst Summit 2015.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards