Kaspersky Lab on Tuesday announced the discovery of what may be the most sophisticated malware ever.
The malware’s creators, whom Kaspersky has dubbed “The Equation Group,” use a never-seen-before tactic to infect hard drives’ firmware.
The technique “makes traditional antivirus and antimalware software practically useless,” Protegrity VP of Products Yigal Rozenberg told TechNewsWorld.
Most of the attacks hit Windows PCs, although Mac OS X users in China also have been hit, and iOS is vulnerable as well.
“Given the sophistication of the malware that has been examined, the team is choosing their targets with care,” noted Lamar Bailey, director of security R&D at Tripwire.
The malware could be turned against the United States or Europe, he told TechNewsWorld, assuming the attacks are not coming from either region.
The Sum of Equation’s Parts
Equation has targeted at least 500 victims in more than 30 countries. They include government and diplomatic institutions, Islamic activists and scholars, the military, and companies in the telecommunications, aerospace, energy, nuclear research, oil and gas, transportation, mass media, financial, cryptography and nanotechnology industries.
However, visitors from certain ISPs in Jordan, Turkey and Egypt are apparently off its list of targets.
Equation has used several platforms exclusively over the past 14 years: EquationDrug and Equestre, very complex attack platforms that can be dynamically uploaded and unloaded; the DoubleFantasy Trojan; the TripleFantasy full-featured backdoor; Grayfish, which resides completely in the registry, relying on a bootkit to execute when the OS starts up; Fanny, a computer worm created in 2008 used to hit targets in the Middle East and Asia; and EquationLaser.
The group uses various techniques, including the Fanny self-replicating worm code, CD-ROMs, USB sticks and Web exploits.
It uses the RC5 and RC6 encryption algorithms, as well as simple XOR, substitution tables, RC4 and AES encryption.
The code was written as early as 2008, and “this means there are likely much more sophisticated attacks under way today,” ITIF Senior Analyst Daniel Castro told TechNewsWorld.
The NSA Runs Amok Again?
Equation has hit some of the initial victims of the Stuxnet worm, believed to have been created by the U.S. National Security Agency.
The group’s malware may have been used to deliver the Stuxnet payload, Kaspersky speculated.
“We don’t have proof to attribute The Equation Group or speak of its origin,” Kaspersky Lab said in a statement provided to TechNewsWorld by spokesperson Stephen Russell. “However, we do see a close connection between the Equation, Stuxnet and Flame groups.”
The Equation disclosure “creates a huge cloud over U.S. technology,” Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. “Even U.S. firms don’t want this kind of exposure.”
Further, “given how attractive the U.S. is as a target anyway, and the damage it is doing to the U.S. tech segment, [this] strategy may have become a greater liability than an asset,” he suggested.
Every Thief Is a Rascal
President Obama last week described cybersecurity breaches as serious acts of property damage and commercial theft, and suggested the establishment of international protocols to govern state-sponsored cyberattacks.
That would ring hollow if a tie-in between Equation and the NSA could be proved, because it would “make the U.S. appear untrustworthy,” Enderle said. It “makes it far harder for the administration to call out abuses by other states.”
On the other hand, perhaps such surveillance is necessary. The president pointed out that law enforcement will be criticized if it should miss even one attack or plot.
Meanwhile, cyberterrorism is growing. Kaspersky later on Tuesday announced its discovery of Desert Falcons, the first known Arabic cyberespionage group, which has attacked thousands globally.
The problem is, The Equation Group’s malware “is a threat to everyone using computers,” Lancope CTO TK Keanini told TechNewsWorld. “Everyone must do their part to make it harder for these folks to operate.”