{"id":15052,"date":"2015-02-17T18:55:05","date_gmt":"2015-02-17T18:55:05","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3608"},"modified":"2020-02-27T03:53:29","modified_gmt":"2020-02-26T16:53:29","slug":"mothership-unlocked-the-equation-apt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/mothership-unlocked-the-equation-apt\/15052\/","title":{"rendered":"Mothership unlocked: The Equation APT"},"content":{"rendered":"<p>Kaspersky Lab\u2019s researchers have discovered what is possibly should be called \u201cmother of all APTs\u201d: the Equation group has already been compared to Death Star in the APT universe. The research on The Equation group was presented February 15<sup>th<\/sup> at Kaspersky Security Analyst Summit.<\/p>\n<p><strong>What\u2019s going on?<\/strong><\/p>\n<p>Equation is an APT which likely has been active for two decades already. Some C&amp;Cs used by the group appear to have been registered as early as 1996, although presumably main command and control server dates back to August 2001.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Massive, Decades-Long Cyberespionage Framework Uncovered \u2013 <a href=\"http:\/\/t.co\/GxpNfmktuf\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/GxpNfmktuf<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2015?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2015<\/a><\/p>\n<p>\u2014 Threatpost (@threatpost) <a href=\"https:\/\/twitter.com\/threatpost\/status\/567401175340036097?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 16, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Since 2001, the Equation group has been busy infecting thousands, or perhaps even tens of thousands of victims throughout the world, in the following sectors:<\/p>\n<ul>\n<li>Government and diplomatic institutions<\/li>\n<li>Telecoms<\/li>\n<li>Aerospace<\/li>\n<li>Energy<\/li>\n<li>Nuclear research<\/li>\n<li>Oil and gas<\/li>\n<li>Military<\/li>\n<li>Nanotechnology<\/li>\n<li>Islamic activists and scholars<\/li>\n<li>Mass media<\/li>\n<li>Transportation<\/li>\n<li>Financial institutions<\/li>\n<li>Companies developing encryption technologies<\/li>\n<\/ul>\n<p>The Equation group uses a potent arsenal of \u201cimplants\u201d (they apparently call their Trojans that way), only some of which are currently known.<\/p>\n<p><strong>The array is astonishing, but\u2026<\/strong><\/p>\n<p>Perhaps the most powerful tool in the Equation group\u2019s arsenal is a mysterious module known only by a cryptic name: \u201cnls_933w.dll\u201d. It allows them to reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Vendors affected by nls_933w.dll <a href=\"https:\/\/twitter.com\/hashtag\/EquationAPT?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#EquationAPT<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2015?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2015<\/a> Format won't help! <a href=\"http:\/\/t.co\/X8zxWEzje6\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/X8zxWEzje6<\/a><\/p>\n<p>\u2014 Dmitry Bestuzhev (@dimitribest) <a href=\"https:\/\/twitter.com\/dimitribest\/status\/567409328114921472?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 16, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This is an astounding\u00a0technical accomplishment and a clear indication of the group\u2019s exceptional abilities.<\/p>\n<p><strong>Fanny-wormy<\/strong><\/p>\n<p>Among other attacks apparently performed by Equation one stands out: the Fanny worm, first observed and blocked by Kaspersky Lab\u2019s systems in December 2008. It used two 0day exploits, those were yet to be discovered then.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/02\/06020250\/Equation_1-1.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/02\/06020250\/Equation_1-1.jpg\" alt=\"Equation_1\" width=\"669\" height=\"222\" class=\"aligncenter size-full wp-image-3614\"><\/a><\/p>\n<p>These exploits were used by Stuxnet worm. And, vice versa, Fanny used Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which was also used in one of the early versions of Stuxnet from 2009.<\/p>\n<p><strong>To clear up the confusion\u2026 <\/strong><\/p>\n<p>Yes, the Fanny worm, first reported in 2008, used the 0day exploits two year prior Stuxnet used them, and until 2010 they remained unknown. It looks like Equation had access to these zero-days before the Stuxnet group .<\/p>\n<p>\u201cFor many years they [Equation group] have interacted with other powerful groups, such as the Stuxnet and Flame groups; always from a position of superiority, as they had access to exploits earlier than the others\u201d, Kaspersky Lab researchers said.<\/p>\n<p>Kaspersky Lab is currently publishing data on Equation APT. So far there is a general overview of this group and its tools <a href=\"https:\/\/securelist.com\/blog\/research\/68750\/equation-the-death-star-of-malware-galaxy\/\" target=\"_blank\" rel=\"noopener\">available at Securelist<\/a>, as well as a detailed research on <a href=\"https:\/\/securelist.com\/blog\/research\/68787\/a-fanny-equation-i-am-your-father-stuxnet\/\" target=\"_blank\" rel=\"noopener\">Fanny<\/a> worm. Updates will follow, so stay tuned!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Lab&#8217;s researchers have discovered what is possibly should be called &#8220;mother of all APTs&#8221;: the Equation group has already been compared to Death Star in the APT universe.<\/p>\n","protected":false},"author":53,"featured_media":15759,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[2288,956],"class_list":{"0":"post-15052","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-equationapt","10":"tag-thesas2015"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/mothership-unlocked-the-equation-apt\/15052\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/mothership-unlocked-the-equation-apt\/15052\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/mothership-unlocked-the-equation-apt\/7883\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/mothership-unlocked-the-equation-apt\/15052\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/equationapt\/","name":"EquationAPT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=15052"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15052\/revisions"}],"predecessor-version":[{"id":26648,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15052\/revisions\/26648"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/15759"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=15052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=15052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=15052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}