Explore Newsletters from ECT News Network » View Samples | Subscribe
Welcome Guest | Sign In

NSA Suspected of Spreading Super-Resistant Malware

By Richard Adhikari
Feb 17, 2015 4:32 PM PT

Kaspersky Lab on Tuesday announced the discovery of what may be the most sophisticated malware ever.

NSA Suspected of Spreading Super-Resistant Malware

The malware's creators, whom Kaspersky has dubbed "The Equation Group," use a never-seen-before tactic to infect hard drives' firmware.

The technique "makes traditional antivirus and antimalware software practically useless," Protegrity VP of Products Yigal Rozenberg told TechNewsWorld.

Most of the attacks hit Windows PCs, although Mac OS X users in China also have been hit, and iOS is vulnerable as well.

"Given the sophistication of the malware that has been examined, the team is choosing their targets with care," noted Lamar Bailey, director of security R&D at Tripwire.

The malware could be turned against the United States or Europe, he told TechNewsWorld, assuming the attacks are not coming from either region.

The Sum of Equation's Parts

Equation has targeted at least 500 victims in more than 30 countries. They include government and diplomatic institutions, Islamic activists and scholars, the military, and companies in the telecommunications, aerospace, energy, nuclear research, oil and gas, transportation, mass media, financial, cryptography and nanotechnology industries.

However, visitors from certain ISPs in Jordan, Turkey and Egypt are apparently off its list of targets.

Equation has used several platforms exclusively over the past 14 years: EquationDrug and Equestre, very complex attack platforms that can be dynamically uploaded and unloaded; the DoubleFantasy Trojan; the TripleFantasy full-featured backdoor; Grayfish, which resides completely in the registry, relying on a bootkit to execute when the OS starts up; Fanny, a computer worm created in 2008 used to hit targets in the Middle East and Asia; and EquationLaser.

The group uses various techniques, including the Fanny self-replicating worm code, CD-ROMs, USB sticks and Web exploits.

It uses the RC5 and RC6 encryption algorithms, as well as simple XOR, substitution tables, RC4 and AES encryption.

The code was written as early as 2008, and "this means there are likely much more sophisticated attacks under way today," ITIF Senior Analyst Daniel Castro told TechNewsWorld.

The NSA Runs Amok Again?

Equation has hit some of the initial victims of the Stuxnet worm, believed to have been created by the U.S. National Security Agency.

The group's malware may have been used to deliver the Stuxnet payload, Kaspersky speculated.

"We don't have proof to attribute The Equation Group or speak of its origin," Kaspersky Lab said in a statement provided to TechNewsWorld by spokesperson Stephen Russell. "However, we do see a close connection between the Equation, Stuxnet and Flame groups."

The Equation disclosure "creates a huge cloud over U.S. technology," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. "Even U.S. firms don't want this kind of exposure."

Further, "given how attractive the U.S. is as a target anyway, and the damage it is doing to the U.S. tech segment, [this] strategy may have become a greater liability than an asset," he suggested.

Every Thief Is a Rascal

President Obama last week described cybersecurity breaches as serious acts of property damage and commercial theft, and suggested the establishment of international protocols to govern state-sponsored cyberattacks.

That would ring hollow if a tie-in between Equation and the NSA could be proved, because it would "make the U.S. appear untrustworthy," Enderle said. It "makes it far harder for the administration to call out abuses by other states."

On the other hand, perhaps such surveillance is necessary. The president pointed out that law enforcement will be criticized if it should miss even one attack or plot.

Meanwhile, cyberterrorism is growing. Kaspersky later on Tuesday announced its discovery of Desert Falcons, the first known Arabic cyberespionage group, which has attacked thousands globally.

The problem is, The Equation Group's malware "is a threat to everyone using computers," Lancope CTO TK Keanini told TechNewsWorld. "Everyone must do their part to make it harder for these folks to operate."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Subscribe to Tech News Flash Newsletter
Women in Tech
How important is the availability of curbside service when you consider a physical store to do your shopping?
Critically Important - I will not shop at an establishment that does not provide curbside service.
Quite Important - During the pandemic I prefer not to go inside a physical location. Still, I will consider a business that does not offer curbside service.
Somewhat Important - I like a curbside option, but itís not part of my decision-making process when I choose where to shop.
Not Important - I do not use curbside pickup. When I go out to shop I want to select everything myself.
Women in Tech