Fear The Equation Group: Control Your Machines Better

High Risk, High Reward (Yes, this should concern you)…

Kaspersky Lab’s Global Research and Analysis Team recently released a report demonstrating the sophistication and success of an attack group labeled The Equation Group.

This particular group, which is one of the most sophisticated cyberattack groups in the world, goes out of their way to target larger corporations via physical methods, because the high risk is only worth high reward. Some of the attack techniques this group implements should send chills up your spine and cause an anger-filled, fearful mistrust of the innocent structures that you regularly utilize in both your personal and business worlds.

Here is a real-world scenario outlining one of these alarming attacks:

“The attacks that use physical media (CD-ROMs) are particularly interesting because they indicate the use of a technique known as ‘interdiction’, where the attackers intercept shipped goods and replace them with Trojanized versions.

One such incident involved targeting participants at a scientific conference in Houston. Upon returning home, some of the participants received by mail a copy of the conference proceedings, together with a slideshow including various conference materials. The [compromised ?] CD-ROM used “autorun.inf” to execute an installer that began by attempting to escalate privileges using two known EQUATION group exploits. Next, it attempted to run the group’s DOUBLEFANTASY implant and install it onto the victim’s machine. The exact method by which these CDs were interdicted is unknown. We do not believe the conference organizers did this on purpose. At the same time, the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, don’t end up on a CD by accident.”

-The Equation Group (Report)

Something at this level could translate into hijacking shipments of critical infrastructure…

This blew my mind after reading it and left me feeling a little defeated. Something at this level could translate into hijacking shipments of critical infrastructure that rely on a firmware based OS, like Cisco for example.

You may think that producing a large amount of compromised CD/DVDs would be fairly easy compared to the difficulty of working with a shipment of 2,000 Dell laptops, but you’d be wrong. What it would take to hijack the process of infecting a new machine versus creating a bunch of malicious disks doesn’t compare. One of our recent blog posts, written by Dennis Goodlett on “Physical Hacking,” is a perfect example of just how easy it can be.

It seems a little hopeless if we can’t even rely on conference training material. At the very least, we need to be able to trust the vendor and their standards on SSL and Hash verification. Only now, we’ll have to put effort into verifying the HDD firmware:

“Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group’s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware.”

-The Equation Group (Report)

Invisible, Persistent, and Hidden Attacks Can Lead to a Reactive, Disruptive Remediation

The ability to infect firmware would allow the malware to survive a re-imaging, a reformat, or an OS installation. Along with that, it can remain present through an “invisible, persistent, and hidden storage” on the drive. Which leaves us security flatfoots in a position of detect and react. React in a very disruptive manner when remediating critical infrastructure. Especially if you are one of the targeted organizations, relying on compromised infrastructure to house your “crown jewels”.

Arstechnica shared an article last May (2014), outlining how the NSA completes a similar process, leading many to place the blame on them. This seems like a logical connection, but could be accomplished by others as well.

Below is a quote from an NSA manager in the article on the process:

“Here’s how it works: shipments of computer network devices (servers, routers, etc,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO.”

-The Equation Group (Report)

Government Intervention Versus Malicious Attack (opinion)

My opinion on government intervention versus malicious attack would be the line of intent. Larger private corporations with lucrative intellectual property are a more likely target for malicious theft and not “public” security monitoring. (Note: The older CVEs referenced in successful attacks that can be mitigated with a software and OS patching initiative/standard).

Kaspersky does a great job going over the threats recently analyzed in the report. They identify non-Windows devices reporting malicious data, like MacOS and iPhone, and give a list of likely compromised HTTP User-Agents. There is also a list of MD5 hashes for known malicious exploits discussed by Kaspersky surrounding Windows as well.

And Don’t Forget About the Advantages of Splunk

I’m currently searching through logged HTTP traffic in Splunk to look for these strings. If you log this data type, I would highly suggest you do the same.