Menu
Leaked docs suggest NSA and CIA behind Equation cyberespionage group

Leaked docs suggest NSA and CIA behind Equation cyberespionage group

CIA documents leaked by WikiLeaks suggests tools attributed to the Equation group originated from both the NSA and CIA

Purported CIA documents leaked Tuesday appear to confirm that the U.S. National Security Agency and one of CIA's own divisions were responsible for the malware tools and operations attributed to a group that security researchers have dubbed the Equation.

The Equation's cyberespionage activities were documented in February 2015 by researchers from antivirus vendor Kaspersky Lab. It is widely considered to be the most advanced cyberespionage group in the world based on the sophistication of its tools and the length of its operations, some possibly dating as far back as 1996.

From the start, the tools and techniques used by the Equation bore a striking similarity to those described in secret documents leaked in 2013 by former NSA contractor Edward Snowden. This relationship was further strengthened by the similarity between various code names found in the Equation malware and those in the NSA files.

The new CIA documents leaked by WikiLeaks include a 2015 discussion between members of the agency's Technical Advisory Council following Kaspersky's analysis of the Equation group.

The discussion focused mostly on what the Equation did wrong that allowed Kaspersky's researchers to establish relationships between various tools and link them to the group. The goal was for the CIA's own cyber teams to learn from those mistakes and avoid them in their own tools and operations.

The Equation's errors identified during the discussion included the use of custom cryptographic implementations instead of relying on standard libraries like OpenSSL or Microsoft's CryptoAPI, leaving identifying strings in the program database (PDB), the use of unique mutexes, and the reuse of exploits.

"The 'custom' crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems," one team member said during the discussion. "In the past, there were crypto issues where people used 0 [initialization vectors] and other miss-configurations. As a result, the NSA crypto guys blessed one library as the correct implementation and everyone was told to use that."

"The Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools (mostly TAO some IOC)," another member wrote.

TAO is a reference to the NSA's Office of Tailored Access Operations, a large division that specializes in the creation of hacking tools for infiltrating foreign computer systems. Meanwhile, IOC refers to the Information Operations Center, a CIA division that, according to a leaked 2013 budget justification for intelligence agencies, has shifted focus from counterterrorism to cyberespionage in recent years.

The CIA analysis of Kaspersky's Equation report highlights how hackers can learn to better hide their attacks based on research published by security companies. This raises the question of whether security vendors and independent researchers should be so forthcoming with the methods they use to establish links between malware tools.

“It is a proven fact that attackers learn from public analyses, and this is something that all researchers consider when publishing material," researchers from Kaspersky Lab said in an emailed statement. "It is a calculated risk. Of course, not all companies choose to disclose all their findings. Some companies prefer to keep some of the details for private reports, or not to create a report at all."

"We believe that, going forward, a balance will be achieved between the amount of publicly disclosed information (just enough to highlight the risks and raise awareness) and the amount of information kept private (to allow for the discovery of future attacks)," the Kaspersky researchers said.

According to them, this new information ties into the escalating cyber arms race that has been going on since 2012 and shows no signs of slowing down.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments