Menu
Leaked docs suggest NSA and CIA behind Equation cyberespionage group

Leaked docs suggest NSA and CIA behind Equation cyberespionage group

CIA documents leaked by WikiLeaks suggests tools attributed to the Equation group originated from both the NSA and CIA

Purported CIA documents leaked Tuesday appear to confirm that the U.S. National Security Agency and one of CIA's own divisions were responsible for the malware tools and operations attributed to a group that security researchers have dubbed the Equation.

The Equation's cyberespionage activities were documented in February 2015 by researchers from antivirus vendor Kaspersky Lab. It is widely considered to be the most advanced cyberespionage group in the world based on the sophistication of its tools and the length of its operations, some possibly dating as far back as 1996.

From the start, the tools and techniques used by the Equation bore a striking similarity to those described in secret documents leaked in 2013 by former NSA contractor Edward Snowden. This relationship was further strengthened by the similarity between various code names found in the Equation malware and those in the NSA files.

The new CIA documents leaked by WikiLeaks include a 2015 discussion between members of the agency's Technical Advisory Council following Kaspersky's analysis of the Equation group.

The discussion focused mostly on what the Equation did wrong that allowed Kaspersky's researchers to establish relationships between various tools and link them to the group. The goal was for the CIA's own cyber teams to learn from those mistakes and avoid them in their own tools and operations.

The Equation's errors identified during the discussion included the use of custom cryptographic implementations instead of relying on standard libraries like OpenSSL or Microsoft's CryptoAPI, leaving identifying strings in the program database (PDB), the use of unique mutexes, and the reuse of exploits.

"The 'custom' crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems," one team member said during the discussion. "In the past, there were crypto issues where people used 0 [initialization vectors] and other miss-configurations. As a result, the NSA crypto guys blessed one library as the correct implementation and everyone was told to use that."

"The Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools (mostly TAO some IOC)," another member wrote.

TAO is a reference to the NSA's Office of Tailored Access Operations, a large division that specializes in the creation of hacking tools for infiltrating foreign computer systems. Meanwhile, IOC refers to the Information Operations Center, a CIA division that, according to a leaked 2013 budget justification for intelligence agencies, has shifted focus from counterterrorism to cyberespionage in recent years.

The CIA analysis of Kaspersky's Equation report highlights how hackers can learn to better hide their attacks based on research published by security companies. This raises the question of whether security vendors and independent researchers should be so forthcoming with the methods they use to establish links between malware tools.

“It is a proven fact that attackers learn from public analyses, and this is something that all researchers consider when publishing material," researchers from Kaspersky Lab said in an emailed statement. "It is a calculated risk. Of course, not all companies choose to disclose all their findings. Some companies prefer to keep some of the details for private reports, or not to create a report at all."

"We believe that, going forward, a balance will be achieved between the amount of publicly disclosed information (just enough to highlight the risks and raise awareness) and the amount of information kept private (to allow for the discovery of future attacks)," the Kaspersky researchers said.

According to them, this new information ties into the escalating cyber arms race that has been going on since 2012 and shows no signs of slowing down.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments