Report points to global spyware operation by US
18 February 2015
A shadowy hacking unit likely run by the US National Security Agency (NSA) or other spy agencies has deployed an arsenal of sophisticated spyware against computers and networks of foreign governments, research programs and corporations beginning in at least 2001, according to a report released Monday by Russian cybersecurity firm Kaspersky.
The “computer network exploitation” (CNE) hacking and data mining operations deploy an intricate malware architecture against targeted systems, carefully tailored to render it invisible to anti-virus and anomaly scanning software. Attacks were carried out by the so-called “Equation group,” described by the Russian firm as “one of the most sophisticated cyber attack groups in the world.”
The Equation group has targeted systems in numerous locations including Russia, China, Syria, Libya, Afghanistan, Nigeria, Pakistan, Yemen, Mali, India, Philippines, South Africa, Germany, Iraq, Mexico, Brazil and others, the report found.
The hacking operations bear striking similarities to previous NSA hacking operations, according to Kaspersky, displaying a level of technical sophistication that “suggests developers of the highest caliber.”
“The similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation group and the Stuxnet developers are either the same or working closely together,” Kaspersky wrote. Stuxnet was an earlier cyberwarfare operation targeting Iran and run by the US and Israel.
Code-names embedded in malware programming sequences analyzed by Kaspersky strongly resemble those used by known NSA programs.
The Equation group infiltrates and sabotages targets using a “vast command and control infrastructure,” including hundreds of domains and servers, the report found. Equation’s targets can be selected individually but are also assessed automatically through algorithms to identify “interesting” targets.
Kaspersky found coding on a machine in the Middle East that had been targeted by previous generations of US government-designed spyware, offering damning evidence that “Equation” is run by the NSA.
Islamist parties and organizations have been heavily targeted by the Equation operations, and analysis by the security firm suggests that special code was created to limit infections of machines in Middle Eastern countries closely aligned with the US, including Egypt, Jordan and Turkey.
The Equation spyware is designed to remain concealed on a targeted machine for long periods of time, collecting and storing data from the hard drive in a Virtual File System (VFS) and initiating sudden attacks and “malicious commands” at a future time of the programmer’s choosing. The spyware is able to remain active on a targeted machine even when the disk is wiped clean and operating system is reinstalled.
The spy operations were largely directed against foreign militaries and government-run research and development programs, including nuclear and nanotechnology research.
The Equation group appears to have established “sinkholes” in parts of China, which simultaneously exploit large clusters of networked devices, and its spyware has been found on the machines of major corporations, including Samsung and Western Digital.
Equation makes use of a toolkit of exotic malware programs, which are deployed in a coordinated fashion to locate, infiltrate and exploit high-security, high-value targets. When fully deployed, the Equation group malware packages give their handlers complete control over the operating systems of infected devices, and can subsequently be upgraded with new plugins. The spyware is even able to reprogram the hard drives of infected machines and generate maps of broader network infrastructure in which targets are embedded.
Equation utilizes devious techniques to download Trojan-style malware onto targets, the report found, including a method referred to as “interdiction,” involving direct physical seizure of electronic devices mid-transit, and their infection or replacement with pre-infected replicas. In one example described by the report, the spy group distributed CD-ROMs secretly pre-loaded with malware to participants at a research symposium in Texas.
Even while the US public is subject to a continuous bombardment of media propaganda warning of Chinese and Russian hacking operations, in reality the US government is by far the leading purveyor of cyberwarfare on the planet, militarizing vast sections of the world’s communication infrastructure.
Brookings Institution Security and Intelligence Director Peter Singer noted, in comments to TechRepublic, the vast scale of efforts to develop Stuxnet, which caused more than 1,000 Iranian nuclear centrifuges to spin uncontrollably.
“Stuxnet was almost a Manhattan Project style in terms of the wide variety of expertise that was brought in: everything from intelligence analysts to some of the top cyber talent in the world to nuclear physicists to engineers, to build working models to test it out on, and another entire espionage effort to put it in to the systems in Iran that Iran thought were air-gapped. This was not a couple of kids,” Singer said.
Reviewing the contents of the Kaspersky report, there can be little doubt that similarly massive efforts were orchestrated, at the highest levels of the US government, to develop the technology associated with the “Equation group.”
The destructive purposes for which the malware is being prepared were outlined last June in statements by US Cyber Command (CYBERCOM) chief Admiral Mike Rogers, who predicted that by the year 2025, “Army commanders will maneuver offensive and defensive [cyber] capability much today as they maneuver ground forces.”
“The ability to integrate cyber into a broader operational concept is going to be key,” Rogers said.
While the specific purpose of the Equation group is not known, it is clear that the US military and intelligence agencies are working systematically to infiltrate and disrupt computer systems all over the world.