The Equation Group is a sophisticated cyber threat actor group that employs multiple remote access tools and is known for using zero-day exploits. Additionally, the group’s software is capable of overwriting disk drive firmware. The Equation Group began to engage in advanced cyberattacks in 2001. The Equation Group has demonstrated the use of multiple malware platforms of high complexity and sophistication. As a result, some threat researchers have categorized them as one of the most advanced threat actors in the world, if not the most advanced.
The Equation Group is said to have acquired its moniker because of its demonstrated frequent use of encryption, the strategies they employ to camouflage its activity, and the sophisticated methods they show. Every line of their code is perfect to the extent it has been exposed. This level of sophistication is quite unusual. The quality and complexity of their work suggest a highly trained and coordinated attack campaign development team with multiple layers of review and oversight. The code, processes, and procedures are aligned with military precision, suggesting work that only the resources of a nation-state could adequately fund.
It has been noted by threat researchers that the Equation Group uses a few particular instances of the RC5 encryption algorithm within their malware. In addition, it is observed that the Equation Group uses RC6, RC4, AES, and other cryptographic functions and hashes. One Russia-based threat research organization appears to have documented over 500+ cyberattacks by the Equation Group in over 40+ countries. Generally, the malware includes a “self-destruct” mechanism which significantly reduces the available forensics that could help determine the exact number of targeted organizations and individuals.
Typical of advanced nation-state threat groups, the Equation Group is said to have developed USB stick-based reconnaissance malware to bridge and map air-gapped networks which are not connected to the Internet. Stuxnet also did this. These tools are only worth the investment to nation-states that seek to penetrate secure military facilities, intelligence organizations, and perhaps nuclear facilities. Alternately, they can target the laptops and tools of the contractors that transit in and out of these organizations to bring new software updates and deliverables into the secure environment.
Per some threat researchers, custom attack platforms, trojans, worms, and backdoors used by the Equation Group include EquationDrug, Double eFantasy, Equestre (same as EquationDrug), TripleFantasy, GrayFish, Fanny, and EquationLaser.
MITRE ATT&CK shows that the Equation Group has used the following Enterprise techniques:
- T1480 – Execution Guardrails: Observed using environmental keying in payload delivery.
- T1564 – Hide Artifacts – Hidden File System: Used an encrypted virtual file system stored within the Windows Registry.
- T1120 – Peripheral Device Discovery: Used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.
- T1542 – Pre-OS Boot Component Firmware: Can overwrite the firmware on hard drives from some manufacturers.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.