Equation Group

As described by its discoverers at Kaspersky Labs the Equation Group is NSA’s group of hackers who write code to exploit systems worldwide. At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its discovery of the Equation Group. With more than 60 actors the group is active since 2001 at least.

Why known as Equation Group?

As per the Kaspersky secure list report that I read, the Equation Group is so called because of their constant usage of encryption and obfuscation strategies in all their operations.

Most sophisticated thing about the EQUATION group

EQG also called as ‘an elite cyber-attack team’ has to have something that makes them stand out and that is “The group’s ability to infect hard drive firmware”. Team Kaspersky could manage to extract two hard drive firmware modules namely ‘The EQUATIONDRUG HDD firmware module’ and ‘the GRAYFISH reprogramming firmware module’.
It was examined that the modules could support two main functions:

  • Reprogramming the HDD firmware with a custom payload.
  • Provide an API into a set of hidden sectors of the hard drive.

Such interesting creation was concluded to be unique. It means they were created for special victims or circumstances. Equation group had an interaction with other powerful groups like Stuxnet and Flames.
Well that’s enough about EQG!

Shadow Brokers

The name Shadow Brokers is derived from a video game called Mass Effect. A mysterious group of hackers known as Shadow Brokers started an auction after claiming that they had hacked the computer systems used by the Equation Group. A bunch of private hacking tools were dumped by the group on GitHub and Tumblr. Shadow Brokers published the data into two parts:

  • One includes several hacking tools designed to inject malware into numerous servers
  • An encrypted file whose decryption key is put on sale in an auction.

Mostly the files contained installation scripts, configurations for command-and-control servers and apparently exploits are designed to target routers and firewalls from American manufacturers including Cisco, Fortinet, and Juniper. Majority of the code seems to be batch scripts and ineffectively coded python scripts which appear to be a toolkit against firewalls. Below mentioned are the 4 letter codenames from the EXPLOITS folder:
EGBL = EGREGIOUS BLUNDER (Fortigate Firewall + HTTPD exploit (apparently 2006 CVE )
ELBA = ELIGIBLE BACHELOR
ELBO = ELIGIBLE BOMBSHELL (Chinese TOPSEC firewall versions 3.3.005.057.1 to 3.3.010.024.1)
ELCA = ELIGIBLE CANDIDATE
ELCO = ELIGIBLE CONTESTANT
EPBA = EPIC BANANA
ESPL = ESCALATE PLOWMAN 
EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)

Here is the correlation of the older Equation RC6 code and the code from the new leak which shows that they have identical functionally and offer specific qualities in their usage:

WHAT WAS THE REASON BEHIND THE HACK?

Shadow Brokers hate “Wealthy Elites”. The below message is given by Shadow brokers and the reason why they hate “Wealthy Elites”.

“We have a final message for “Wealthy Elites”. We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie to other people. Elites is breaking laws, regular people go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many people know Elites guilty. Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs. Elites top friends announce, no law broken, no crime commit. Reporters make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads. Then Elites runs for president. Why run for president when already control country like dictatorship? What this have do with fun Cyber Weapon Auction? We want to make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation group” can do. You see what cryptolockers and Stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+Stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where live Wealthy Elites? Maybe with dumb cattle? “Do you feel in charge?” Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you? “

Some say that the shadow brokers could be Russians but there can be a possibility of an insider who could have stolen them directly from the NSA. It is much easier for an insider to obtain the data that the Shadow Brokers had put online rather than anyone else or even Russia.

The naming convention files and the scripts in the dump are only accessible internally. These sorts of files are physically on a separate network that don’t connect to the internet and there is no reason that these files are kept on a server as anyone could hack those files.

A mistake was made by the member of NSAs hacking team where they left the hacking tools exposed on the server.

There is no such information available regarding who is behind shadow brokers and the hacking tools which were put on auction online and who bought it.

References:

http://arstechnica.com/security/2016/08/hints-suggest-an-insider-helped-the-nsa-equation-group-hacking-tools-leak/
http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions
https://threatpost.com/cisco-begins-patching-equation-group-asa-zero-day/120124/
https://thehackernews.com/2016/08/nsa-hacking-tools.html

The following two tabs change content below.

Latest posts by Flacita Corda (see all)