Inside EquationDrug: The world’s premier, NSA-backed espionage platform
- By Joel Hruska on March 12, 2015 at 8:41 am
According to a new report from Kaspersky, the so-called Equation Group has an entire espionage software platform, dubbed EquationDrug. This is apparently the group’s older platform and has been used since 2003, but a newer deployment, GrayFish, has also been spotted in the wild.
The reason Kaspersky is calling EquationDrug a platform, as opposed to a simple framework, is the degree of sophistication built into the software. This is something we discussed when we talked about the Regin malware that surfaced last year — Regin was incredibly flexible, with the ability to deploy highly tailored plugins that could perform very specific functions. Kaspersky doesn’t directly link Regin and EquationDrug, but it notes that the entire purpose of the ED platform is to load various plugins (the security team has located 30 plugins but believes as many as 86 may exist).
Some of the most interesting plugins found to date include:
- Network traffic interception
- Computer management (starting and stopping processes, loading drivers and libraries, file management, etc)
- System-level information gathering
- Password collection
- Live monitoring of browser activity
- Removable storage monitoring
- Keylogging and clipboard monitoring
- HDD and SSD firmware manipulation
Kaspersky has linked the worms and trojans above as being part of the same family and all distributed from within the same platform. What makes the Equation Group interesting is how many of the most advanced and threatening malware packages it’s worked on — but this brings up another troubling point.
How do you separate the good guys from the bad?
In the world according to the NSA, there are good guys (themselves, Britain, some of our usual allies) and bad guys (China, Russia, some of our allies). According to this world view, it’s the job of the good guys to wage cyber warfare on others and to defend US networks against the same.The problem for pretty much everyone else working in IT security is that both the black and white hats can quickly turn to muddy shades of grey. If the past two years have made anything clear, it’s that the NSA often treats companies like Google and Microsoft like candy stores, raiding their data repositories (with government sanction) and simultaneously researching and exploiting their software for hacks it can use against foreign nations. When these bugs are eventually discovered and publicized, companies rush to patch them — all the while knowing that the US government is running a long-term cracking operation on their code.
I’m not suggesting that the NSA and various US corporations don’t cooperate on genuinely securing systems. But discovering that the government has been running a long-term operation aimed at exploiting every scrap of insecurity it can find isn’t going to sit well with any company whose bottom line depends on keeping customer data under lock and key. The NSA’s decision to exploit bugs as opposed to helping to fix them means that other groups that discover the same flaws independently have an easier time crafting their own malware to exploit flaws that were once the exclusive “property” of the NSA.
Source
http://www.extremetech.com/extreme/200998-inside-equationdrug-the-worlds-premier-nsa-backed-espionage-platform
Comments
Post a Comment