Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Kapersky Lab Reveals Detailed View of Most Advanced Hacking Operation Known

Via ars technica: “… In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly implicates the US spy agency. First is the group’s known aptitude for conducting interdictions, such as installing covert implant firmware in a Cisco Systems router as it moved through the mail. Second, a highly advanced keylogger in the Equation Group library refers to itself as “Grok” in its source code. The reference seems eerily similar to a line published last March in an Intercept article headlined “How the NSA Plans to Infect ‘Millions’ of Computers with Malware.” The article, which was based on Snowden-leaked documents, discussed an NSA-developed keylogger called Grok. Third, other Equation Group source code makes reference to “STRAITACID” and “STRAITSHOOTER.” The code words bear a striking resemblance to “STRAITBIZARRE,” one of the most advanced malware platforms used by the NSA’s Tailored Access Operations unit. Besides sharing the unconventional spelling “strait,” Snowden-leaked documents note that STRAITBIZARRE could be turned into a disposable “shooter.” In addition, the codename FOXACID belonged to the same NSA malware framework as the Grok keylogger. Apart from these shared code words, the Equation Group in 2008 used four zero-day vulnerabilities—including two that were later incorporated into Stuxnet. The similarities don’t stop there. Equation Group malware dubbed GrayFish encrypted its payload with a 1,000-iteration hash of the target machine’s unique NTFS object ID. The technique makes it impossible for researchers to access the final payload without possessing the raw disk image for each individual infected machine. The technique closely resembles one used to conceal a potentially potent warhead in Gauss, a piece of highly advanced malware that shared strong technical similarities with both Stuxnet and Flame. (Stuxnet, according to The New York Times, was a joint operation between the NSA and Israel, while Flame, according to The Washington Post, was devised by the NSA, the CIA, and the Israeli military.)”

Sorry, comments are closed for this post.