Analysis of Equation Group’s espionage platform discovers another link to the NSA

Kaspersky Lab researchers continue to analyze the software and digital artifacts tied to the Equation Group, a nation-state threat actor that has been active for almost twenty years, and to present their discoveries to the public.

They shared more information about EquationDrug, an espionage platform that the group used for over a decade, and has ultimately been replaced by a more sophisticated one dubbed GrayFish.

“The EquationDrug platform includes dozens of executables, configurations and protected storage locations,” they explained. “The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins. Every plugin has a unique ID and version number that defines a set of functions it can provide. Similar to popular OS kernel designs, such as on Unix-based systems, some of the essential modules are statically linked to the platform core, while others are loaded on demand.”

Going by the unique IDs of the plugins (30 of them) they have unearthed, and by the obvious numbering pattern, the researchers estimate there are 86 more modules that they have not discovered yet.

Those they have managed to analyze give the attackers the ability to intercept network traffic, manage target computers, gather system information, collect cached passwords, monitor live user activity in web browsers, browse network resources, log keys and capture screenshots, and so on.

Apart from the fact that kernel object and file names and messages found in the code point to English-speaking developers, among the unique identifiers and codenames used by the developers in the malware is the name of a string (“BACKSNARF_AB25”) that points to the US NSA being the source of the platform.

As Dan Goodin has marked, this is also the name of a project tied to the NSA’s Tailored Access Operations. “While the presence of the ‘BACKSNARF’ artifact isn’t conclusive proof it was part of the NSA project by that name, the chances that there were two unrelated projects with nation-state funding seems infinitesimally small,” he pointed out.

Kaspersky researchers don’t say explicitly who they think might be behind the Equation Group, but keep offering circumstantial evidence that the members are likely US-based. For example, an analysis of the link timestamp of the executable samples they have collected points to an organized outfit that keeps office hours that correspond to the working days and hours of an organization based in the UTC-3 or UTC-4 time zone (this includes the Eastern part of the US).

“The EquationDrug case demonstrates an interesting trend that we have been seeing while analyzing supposedly nation-state cyberattack tools: a growth in code sophistication. It is clear that nation-state attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage tools,” the researchers noted.

“You can make a basic browser password-stealer or a sniffer within days. However, nation-states are focused on creating frameworks for wrapping such code into something that can be customized on live systems and provide a reliable way to store all components and data in encrypted form, inaccessible to normal users.”

While traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, nation-states create automatic systems infecting only selected users. While traditional cybercriminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and even implement restrictions preventing decryption and execution outside of the target computer,” they added.

Also, unlike nation-state attackers, traditional cybercriminals don’t have the storage resources to exfiltrate huge amounts of data.