Menu
Code name found in Equation group malware suggests link to NSA

Code name found in Equation group malware suggests link to NSA

The name matches an NSA project listed in a secret document leaked by Edward Snowden

As security researchers continue to analyze malware used by a sophisticated espionage group dubbed the Equation, more clues surface that point to the U.S. National Security Agency being behind it.

In February, Russian antivirus firm Kaspersky Lab released an extensive report about a group that has carried out cyberespionage operations since at least 2001 and possibly even as far back as 1996. The report detailed the group's attack techniques and malware tools.

The Kaspersky researchers have dubbed the group Equation and said that its capabilities are unrivaled. However, they didn't link the group to the NSA or any other intelligence agency, despite similarities between its tools and those described in secret NSA documents leaked by Edward Snowden.

Kaspersky found code names like SKYHOOKCHOW, DRINKPARSLEY, LUTEUSOBSTOS, STRAITACID, STRAITSHOOTER in the malware used by the Equation group. While these were not a direct match to NSA code names known so far, they bear a striking resemblance to some of them.

A secret document leaked by Snowden and published by German news magazine Der Spiegel contains a list of project names from NSA's Tailored Access Operations (TAO) division. The list includes names like SKYJACKBRAD, DRINKMINT and LUTEUSASTRO. According to a different document, the NSA has a malware implant called STRAITBIZZARE and refers to computers infected with it as QUANTUM shooters. It also has a program called FOXACID.

The Kaspersky researchers found an Equation malware component called "standalonegrok." According to a December report in The Intercept, the NSA has a keylogger named GROK.

However, the most direct link came Wednesday, when Kaspersky Lab published a technical analysis of the main malware framework used by the Equation group. In the report, the company's researchers revealed another code name recently found in the malware: BACKSNARF_AB25. The BACKSNARF code name is listed in the previously mentioned document about NSA TAO projects.

The malware platform, which was dubbed EquationDrug, has a modular architecture and resembles a mini operating system, the Kaspersky researchers said. So far 30 of its plug-ins have been found, but the platform might have more than 115 modules, each implementing different functionality.

Statistics based on compilation time stamps found in the EquationDrug samples collected so far suggest that its developers are working almost exclusively from Monday to Friday and are likely located in the UTC-3 or UTC-4 time zones, if we assume that they start work at 8 or 9 am. Time stamps in malware samples are not always reliable, because developers can alter them, but in the case of EquationDrug, the Kaspersky researchers believe they look "very realistic."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitymalwarespywarekaspersky labNational Security Agency

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments