NSA Suspected of Spreading Super-Resistant Malware

Kaspersky Lab on Tuesday announced the discovery of what may be the most sophisticated malware ever.

The malware’s creators, whom Kaspersky has dubbed “The Equation Group,” use a never-seen-before tactic to infect hard drives’ firmware.

The technique “makes traditional antivirus and antimalware software practically useless,” Protegrity VP of Products Yigal Rozenberg told TechNewsWorld.

Most of the attacks hit Windows PCs, although Mac OS X users in China also have been hit, and iOS is vulnerable as well.

“Given the sophistication of the malware that has been examined, the team is choosing their targets with care,” noted Lamar Bailey, director of security R&D at Tripwire.

The malware could be turned against the United States or Europe, he told TechNewsWorld, assuming the attacks are not coming from either region.

The Sum of Equation’s Parts

Equation has targeted at least 500 victims in more than 30 countries. They include government and diplomatic institutions, Islamic activists and scholars, the military, and companies in the telecommunications, aerospace, energy, nuclear research, oil and gas, transportation, mass media, financial, cryptography and nanotechnology industries.

However, visitors from certain ISPs in Jordan, Turkey and Egypt are apparently off its list of targets.

Equation has used several platforms exclusively over the past 14 years: EquationDrug and Equestre, very complex attack platforms that can be dynamically uploaded and unloaded; the DoubleFantasy Trojan; the TripleFantasy full-featured backdoor; Grayfish, which resides completely in the registry, relying on a bootkit to execute when the OS starts up; Fanny, a computer worm created in 2008 used to hit targets in the Middle East and Asia; and EquationLaser.

The group uses various techniques, including the Fanny self-replicating worm code, CD-ROMs, USB sticks and Web exploits.

It uses the RC5 and RC6 encryption algorithms, as well as simple XOR, substitution tables, RC4 and AES encryption.

The code was written as early as 2008, and “this means there are likely much more sophisticated attacks under way today,” ITIF Senior Analyst Daniel Castro told TechNewsWorld.

The NSA Runs Amok Again?

Equation has hit some of the initial victims of the Stuxnet worm, believed to have been created by the U.S. National Security Agency.

The group’s malware may have been used to deliver the Stuxnet payload, Kaspersky speculated.

“We don’t have proof to attribute The Equation Group or speak of its origin,” Kaspersky Lab said in a statement provided to TechNewsWorld by spokesperson Stephen Russell. “However, we do see a close connection between the Equation, Stuxnet and Flame groups.”

The Equation disclosure “creates a huge cloud over U.S. technology,” Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. “Even U.S. firms don’t want this kind of exposure.”

Further, “given how attractive the U.S. is as a target anyway, and the damage it is doing to the U.S. tech segment, [this] strategy may have become a greater liability than an asset,” he suggested.

Every Thief Is a Rascal

President Obama last week described cybersecurity breaches as serious acts of property damage and commercial theft, and suggested the establishment of international protocols to govern state-sponsored cyberattacks.

That would ring hollow if a tie-in between Equation and the NSA could be proved, because it would “make the U.S. appear untrustworthy,” Enderle said. It “makes it far harder for the administration to call out abuses by other states.”

On the other hand, perhaps such surveillance is necessary. The president pointed out that law enforcement will be criticized if it should miss even one attack or plot.

Meanwhile, cyberterrorism is growing. Kaspersky later on Tuesday announced its discovery of Desert Falcons, the first known Arabic cyberespionage group, which has attacked thousands globally.

The problem is, The Equation Group’s malware “is a threat to everyone using computers,” Lancope CTO TK Keanini told TechNewsWorld. “Everyone must do their part to make it harder for these folks to operate.”

Richard Adhikari

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Malware

Technewsworld Channels