Shortcuts

Hacking group may be NSA in disguise

2015-03-12 10:11 by Daniela
Tags: NSA, Equation Group, EquationDrug

Kaspersky Lab researchers have found a new 'operating system'-like platform that was developed and used by hackers from the Equation Group. Recent findings of the company suggest that the dangerous hacking collective is actually the National Security Agency itself.

The suggestion comes from the fact that the term "BACKSNARF" has been found inside the code of the Equation Group's online platform. The same term was used by the NSA as the name of a project by its cyber warfare unit.

The so-called Equation Group is responsible for at least 500 malware infections in 42 countries and thus considered one of history's most effective cyber espionage organizations. Members of the group are likely located on the East Coast of the United States.

The latest found espionage software platform is called EquationDrug. It is thought to be one of the main espionage platforms of the NSA and has been used since 2003. However, a newer deployment, dubbed GrayFish, has also been spotted in the wild.

Also called Equestre, the platform is used to deploy up to 116 modules to target connected devices, monitor them and to export data, when necessary. However, Kaspersky expects that as many as 86 modules used by the platform have yet to be uncovered in the wild.

"The plugins we discovered probably represent just a fraction of the attackers' potential. Each plugin is assigned a unique plugin ID number (WORD), such as 0x8000, 0x8002, 0x8004, 0x8006, etc. All plugin IDs are even numbers and they all start from byte 0x80," Kaspersky researchers claim.

"It's important to note that EquationDrug is not just a trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims," they add. "The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface."

"Nation-state attackers are looking to create more stable, invisible, reliable and universal cyberespionage tools. They are focused on creating frameworks for wrapping such code into something that can be customized on live systems and provide a reliable way to store all components and data in encrypted form, inaccessible to regular users," explains Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab. "Sophistication of the framework makes this type of actor different from traditional cybercriminals, who prefer to focus on payload and malware capabilities designed for direct financial gains."