2n+2n = a 4n Equation?

unnamed-1Kaspersky are hosting their fourth annual “Security Analyst Summit” summit this week and there have been some great presentations on topics ranging from Biohacking to WiFiPhising (A full list is over at http://threatpost.com/category/sas).

The keynote presentation that’s made all the headlines however, has been their detection and research on the so called “Equation Group” APT. Hyperbole and slick marketing gloss aside, there’s a wealth of technical information detailed by Kaspersky that really does make it seem like this is one of the most advanced pieces of cyber-espionage code ever discovered.

Originating sometime around 2001 and running up until the current day (well, Monday at least) the “Equation Group” have authored at least nine different variations of malware (or “implants” as Kaspersky are calling them). Each of these uses a set of plugins (sound familiar, Metasploit?) which can be used to provide different types of functionality. The plugins do everything from bespoke encryption and virtual file system implementation through to keylogging and data exfiltration – all in a very professional and thoughtfully designed manner.

The most remarkable of these is something called the ‘nls_933w.dll’ module. This application is designed to detect the particular model of hard drive used by a target and then silently rewrites the drive’s firmware to provide a permanent back-door into that machine. With bespoke code for multiple different hard drive vendors there’s no doubt this tool took significant resources to develop and more than anything else points the finger at a nation state being behind the ‘Equation Group’. Of course the location of victims (Iran, Afghanistan, Pakistan, etc.) is also strongly suggesting a Western political motive.

So whilst we don’t expect the see the C&C IP addresses show up talking to any of our customer’s networks (we’ve looked) – a genuine concern is whether that now that this bag of tricks has been exposed, will it provide a handbook for more run-of-the-mill malware authors to follow? A version of Cryptolocker that persists in hard drive firmware, anyone?

On a more positive note, the fact that these decade-long malware campaigns are not only being detected but also comprehensively analysed shows that the tools available to the security industry are maturing and our understanding of malicious actors improving.

Kaspersky have been able to sift through Terabytes of logs spanning many years to identify indicators of compromise, pivot around these events and then work backwards through the actions of the attackers to understand what happened to their victims. It’s a similar methodical process to the one our SOC undertakes when investigating customer security incidents using our managed service SIEM platform.

If you’d like to understand more about what our managed security services can offer your business when it comes to security event alerting and analysis then don’t hesitate to get in touch –[email protected] or call 020 7517 3900.