The malware found by Kaspersky Lab is written by the security experts to a group that they named “Equation” after an encryption used. The extent of the newly discovered espionage attack is supposed to overshadow everything that has been there. In their blog article on Equation, Kaspersky describes the group as “deathsters of the malware galaxy” and the “god of cyberspionage.”
Equation is said to have used a number of espionage trojans, known as "implants", for its attacks. Kaspersky awarded the names EquationLaser, Equationdrug, Doublefantasy, TripleFantasy, Fanny and Grayfish for the malware detected.
Kaspersky describes a module called "nls_933w.dll", which is used by the Equation Group to modify the firmware of hard disks. More than a dozen manufacturers are involved, including Seagate and Western Digital.
The Equation Group not only attacks Windows PCs but probably also computers with Mac OS X. There are also indications of infected iPhones. However, an increase in the risk for private users of the Equation Group's malware should be unlikely, as the group chooses "surgical precision" according to Kaspersky. Through the Trojans Doublefantasy, they check whether an infected computer is interesting for an attack. If this is not the case, the system is cleaned again.
A look-and-see link between the EquationGroup and the authors of the Stuxnet malware provides a look-up. For example, the Fanny baptized Trojans, which was used in 2008, used two zero-day exploits, which were later used in the Stuxnet attacks. The assumption suggests that Equation could be another espionage project of the US intelligence agency NSA.
According to the research carried out by Kaspersky, the Equation Group has been active since 2001, and has since infected tens of thousands of PCs, perhaps even tens of thousands, all over the world. The focus is on government, diplomacy, telecommunications, aviation, energy, nuclear research, oil, gas, military, nanotechnology, Islamic activists and scholars, mass media, transportation, financial institutions and companies working on encryption technologies
The attacks of Equation have concentrated mainly on the countries of Iran, Russia, Paksitan, Afghanistan, India, China, Syria and Mali. But also in the United States, according to Kaspersky inter alia, telecommunication facilities were affected. The command-and-control infrastructure that controls the attacks is to span more than 300 domains and more than 100 servers in different countries.
In the coming days Kaspersky Lab wants to publish further details on Equation. The PDF document "Equation Group: Questions and Answers" provides more detailed information and answers to the most important questions.
No comments:
Post a Comment