Group Equation: the most advanced known operation cyberprzestępcza

Kaspersky Lab informs about the discovery of a group of Equation-ancestor of the campaign cyberprzestępczych Stuxnet and Flame. Belonging to the cyber criminals in terms of complexity and sophistication of the techniques ahead of everything that has been discovered so far, and are active for almost two decades.

According to researchers from Kaspersky Lab Group Equation is unique in almost every aspect of its activity. Uses professional, very advanced and expensive tools to infect victims of data theft and hide the activity. In addition, the attacker apply a spy methods to deliver malicious programs to the targeted organization.
To infect their victims group Equation uses a powerful set of "implants" (Trojan), including the following tools (the names were given by researchers from Kaspersky Lab): EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Without a doubt, actively used is, however, more of these implants.

Why group Equation is unique?

Survivability and invisibility

Kaspersky Lab experts managed to take two modules that allows you to modify the system software (firmware) hard drives of more than a dozen popular manufacturers. This is probably the most powerful tool in the arsenal of group Equation, and the first known malicious program capable of directly infecting software hard disk drives.
By modifying the software hard drive ranged to achieve two objectives:

1. the unprecedented ability of survival-a malicious program can "survive" even disk formatting, not to mention a reinstallation of the operating system. If the malware gets into the firmware of the disk, can "resurrect" indefinitely.

"Another risk is that when the hard drive is infected with this malware, virus scan becomes impossible. Most disks have write functions to the system software, however, there are methods to read it. This means that as researchers we are practically blind and we cannot detect disk infected by the tool, "said Costin Raiu, Manager of the Global team. Research and analysis, Kaspersky Lab.

2. The ability to create an invisible, protected area on the hard disk. It is used to store the stolen information, which can then be captured by the attackers. In addition, in some cases, this can help criminals in breaking of encrypted files. "Taking into account the fact that the implant GrayFish is active from the very start of the hard drive, the attacker also have the ability to capture passwords to encrypted resources," adds Costin Raiu.

The ability to capture data from isolated network

Another element that distinguishes a group of Equation is a part of its arsenal of worm Fanny. Its main purpose is to explore unavailable structure (isolated) computer networks and perform in their own commands. To do this, an attacker uses a unique control mechanism based on the USB media.

The infected USB storage devices have a hidden storage area and when you connect them to computers, cut off from the Internet are beginning to collect information about the available resources (e.g. local area network structure, shared resources, etc.). These data are submitted to cyber criminals, when the storage medium is connected to a computer infected with Fanny and having a connection to the Internet. With this information, an attacker can perform your own commands in isolated networks, just save the correct procedure in a hidden area of the infected USB drive and they would wait, until it will be connected to one of the computers.

Spy methods used to infect victims

The attackers use unusual methods to infect their victims-not only over the internet, but also in the physical world. To this end, the capture a variety of resources and podmieniają them on their own, "enriched" with malicious programs. An example would be an attack on the Scientific Conference in Houston-after returning home, some scientists have received a CD with the Conference materials, containing in addition mechanism installing the implant DoubleFantasy-a component of the arsenal group Equation. The way in which cyber criminals seized these CDs, remains to this day unknown.

Niesławni friends: Stuxnet and Flame

Kaspersky Lab researchers have found evidence indicating the interaction Equation group with other organisations cyberprzestępczymi, standing for the operations of the Stuxnet and Flame. Members of the Group Equation had access to some zero-day attacks (for which at the time of the attack, there were patches), before they have been used in Stuxnet and Flame, and in certain circumstances these groups Exchange techniques to infect. For example, in 2008, the worm Fanny use two zero-day attacks, which have been applied in the Stuxnecie until June 2009 and March 2010.

Powerful and geographically distributed infrastructure

Group Equation uses a huge infrastructure, comprising over 300 domains and over 100 servers. Servers are located in a number of countries, including the United States, Great Britain, Italy, Germany, the Netherlands, Panama, Costa Rica, Malaysia, Colombia and the Czech Republic.

Thousands of victims of the high level all around the world

From 2001 onwards group Equation infekowała thousands, and perhaps tens of thousands of victims in more than 30 countries. The victims were

  • Government institutions and diplomatic,
  • organisations in the telecommunications industry, aviation, energy, oil and gas, transport, nuclear research and nanotechnology,
  • the media,
  • financial institutions,
  • companies that make up the encryption technologies,
  • activists and academics.


Kaspersky Lab's experts have observed seven exploits used by the Equation. At least four of them were in use, when there were still patches to avoid them. In addition, it was observed the use of unknown exploits using a vulnerability in Firefox, 17. At the stage of infection, the attacker can use exploits one after the other, however, experts have noted, that are up to three of them: If the first fails, the second is started, and then – if necessary – the third. When all three will be ineffective, the system is not infekowany.

Kaspersky Lab products detected and blocked a series of attacks the Group Equation-many of them were captured by the technology automatically avoid exploitom that is designed to block the use of unknown bugs in operating systems and applications. Worm Fanny, created in July 2008, has been classified by Kaspersky Lab systems, automatic, in December 2008.

The full report is dedicated to the analysis of group Equation is available in English on the website

Source: Kaspersky Lab

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.