Good Essay On Equation Group: Questions And Answers

The Equation group is one of the most advanced threat actor that has been used in multiple computer network exploitation (CNE) operations since 2001. It is a highly developed cyber attack group that involves using of multiple malware platforms.
This treat actor is called the Equation group because it is using trough their malware and operations a specific type of the encryption algorithm RC5 and obfuscation strategies. The recent modules besides cryptographic features use RC4, RC6, and AES.

The Equation group is using a multiple malware platforms such as: EquationDrug, DoubleFantasy, Equestre, TripleFantasy, GrayFish, Fanny, EquationLaser.

EquationDrug is a very complicated attack platform that maintains a module plagin system and used on victims of the Equation group. It was created as an upgrade from the EquationLaser platform. DoubleFantasy is the validator-style Trojan and is created to approve the target. This implant is used to conform if the victim is interesting, upgrade it to another platforms and to keed a backdoor into such computers.
The most advanced platform is GrayFish. It relies on a bootkit and resides in the registry.
Funny is the worm developed in 2008. It is used to collect the data about targets in the Asia and Middle East. Fanny’s main purpose is the mapping of air-gapped networks.

EquationLaser is the reconcilable with Windows 95/98 is one of the earliest implants from the Equation group.

The Equation group uses the following exploits in their malware: Windows Kernel EoP exploit used in Stuxnet 2009; TTF exploit fixed with MS13-081; TTF exploit fixed with MS12-034; CVE-2013-3918; LNK vulnerability as used by Stuxnet; CVE-2012-4681; CVE-2012-1723.

The Equation inflects victims on several ways: self-replicating code, physical media using the “interdiction” technique, USB and web based exploits.

The implementation of Equation group is extremely complex but we still have one aspect that has never seen before. It is their ability to infect the firmware of a hard drive.
“ The victims of the Equation group were observed in more than 30 countries, including Iran, Russia, Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, United States, Sudan, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, Philippines, United Kingdom, India and Brazil ” (“Equation Group: Questions and Answers”, 2015).

We can suspect there were a huge number of infections since the operations of the Equation group exist.

The Equation group uses a vast C&C infrastructure and includes more than 100 servers and more than 300 domains. The servers are hosted in such countries as US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.
This group uses the RC5 and RC6 encryption algorithms. They also use XOR, RC5 and RC6, RC4 and AES. The first implementation is very specific and interesting. In the picture below we can see the main loop of a RC6 key setup subroutine.

Encryption-related code sample

In comparing with Regin the Equation group’s attack platforms are more stealthy, complex and flexible. It is because the registry storage has better granularity, each registry branch is encrypted with own key and does not use any files on the disk and re-flashing the HDD firmware.
The observations lead us to make a conclusion that Equation group is much better that Regin in resources and sophistication. The mechanism of this group is out of the reach of almost all threat groups in the world.

References

(2015, Feb 1). Equation Group: Questions and Answers. Retrieved Mar. 18, 2015, from http://www.slideshare.net/WaqasAmir/nsa-hiding-undetectable-spyware-in-hard-drives-worldwide