""Kaspersky has carried out an involved study of the Equation Group and made it look like it is probably the work of the US government.
Before it was an NSA 'style' threat, now it looks much more likely to be an NSA sourced threat, thanks to some commonality with other online security menaces.
The Kaspersky report refers to the use of Backsnarf, which is an unusual and uncommon word, that we have seen before.
The term, and others like it, appear in Snowden leaked documents that have been sourced from the NSA.
There are other clues that it is a US entity that is involved. For example time stamps associated with attacks suggest that it is nine to five, monday to friday staffers who operate in US timezones who are responsible.
It would seem unreasonable to suppose that an average malicious anchor who is not on a government salary would be inclined to work at the weekend. So this is another clue. The code is said to be of good quality, but we can't say that that provides any clue about its creator.
We have asked Kaspersky if it wants to actually finger the NSA as the Equation Group and it did not. It said that it did not want to pin it on the agency, but did concede that there does appear to be a strong link between Stuxnet and Equation.
"We are not able to confirm the conclusions that journalists came up with. Kaspersky Lab experts worked on the technical analysis of the group's malware, and we don't have hard proof to attribute the Equation Group or speak of its origin," it said in a statement.
"With threat actor groups as skilled as the Equation team, mistakes are rare, and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups."
In February Kaspersky researchers claimed to have uncovered one of the biggest, if not the biggest, threat actor that it has seen in two decades.
The security firm dubbed this outfit the Equation Group, and its toolbox 'the Death Star of the Malware Galaxy', and explained that the tools of its trade have hallmarks and themes similar to those of Stuxnet.
Words were not minced. Kaspersky described the group as a "powerful threat actor" that is "unique almost in every aspect of their activities".
The group is sophisticated and well-resourced, and uses complex tools to hide itself in "an outstandingly professional way".
In one incident the group infected targets by switching out legitimate CD Roms with spiked ones at a conference. This makes it sound like a very organised, and perhaps connected outfit.
The tools, a range of trojans, have been named EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Of these, Fanny, is described as the standout.
Two of these trojans, or modules, can be found deeply inserted in as many as a dozen different makes of hard drive that are sold and shipped to international waters.
The malware is so deeply inserted into the firmware that it can survive wipes, and "resurrect" itself indefinitely. Additional 'implants' add to the mix and can grab and store encrypted passwords, for example.
Costin Raiu, director of the global research and analysis team at Kaspersky Lab, said: "Another dangerous thing is that, once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware.
"To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware."
The Fanny trojan is used to fill in the spaces in systems, and launch attacks in unconnected and hard to reach places. Kaspersky said that the 'air-gap filler' is USB-based, and can let attackers move between otherwise unconnected networks.
Thousands of victims lie at the feet of the group, according to Kaspersky, and they include state targets, governments, security developers, telecoms, aerospace and energy industries, along with the military, Islamic activists and the media.
Kaspersky didn't name a likely source then, but found a lot of links to Stuxnet, which is often linked to the NSA.
"There are solid links indicating that the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators, generally from a position of superiority," adds Kaspersky.
A Reuters report makes the NSA link, and we asked the agency if it wanted to make comment in response. It did.
"We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details," an NSA spokesperson told The INQUIRER.
"The US. Government calls on our intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats - including terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against ourselves and our allies; and international criminal organisations."
We asked some of the hard drive firms that Kaspersky said have been infiltrated by the Equation Group for their take on the news, and at least one told us that it has not heard specific allegations about any backdoor action.""
Kaspersky traces the Equation Group and its activities back to 2001:
No comments:
Post a Comment