Just 48 hours after the world discovered the Carbanak APT …

“[Carbanak] is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.”
Chris Doggett (security vendor Kaspersky Labs)—14 February 2015

… We learned about a far, FAR more sophisticated and long-lived APT:

“As we uncover more [Equation Gang] cyber-espionage operations we realize how little we understand about the true capabilities of these threat actors.”
Costin Raiu (security vendor Kaspersky Labs)—16 February 2015

The cyber detectives at Kaspersky Labs are very good and clearly VERY busy. The same week they pulled the covers off of the Carbanak APT, they reported a heretofore unimaginable APT attributed to the team they call “The Equation Gang.”

“We call this threat actor the Equation Group because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations.”
Kasperky Labs, Equation Group: Questions and Answers—February 2015

The Q&A report cited above is an outstanding read—seriously, take the time to absorb it—and it represents more than a year of jaw-dropping detective work from the A-team at Kaspersky. Reading the Q&A, you see the tremendous respect they have for the Equation Gang; the same team that developed Flame and Stuxnet. Quite remarkably, those two well-known APTs were just two elements of a larger cyber-espionage PLATFORM active since 2001. 

Source: Kaspersky Labs

You will be pleased to know that I am NOT going to dive into each of the modules above; after my previous mini-novel, I am shooting for a manageable thousands words for sake of our collective sanity. 

Our Own Barbarians

PLEASE do not read any political undertones into the above term; it is purely a riff on the title of my last article. Cutting to the chase, it is crystal clear that the Equation Gang platform was developed by the NSA’s Cyber Operations team. This is a truly elite team of cryptographers and hackers, using the latter term in the context of high praise for their elegant and effective tools. On the off chance that “crystal clear” is too declarative for skeptical readers, take a quick peek at where the tools were discovered. 

Source: Kaspersky Labs

Alrighty then. All politics aside, the NSA has a remit to operate overseas and this platform was HIGHLY targeted; quite remarkably so, given the tendency for malware to get out of hand. As documented in my last piece, an attack team interacts with and directs the malware. Indeed, the attack begins with malware that simply:

• Establishes communication with the command-and-control (C&C) servers,
• Where an attack team determines if the infected machine is of interest,
• And if so, downloads additional malware that is MUCH more invasive and observant

Infection of other machines was managed by the attack team, per our earlier Flame discussion. The entire operation remained closely managed by the attack teams, one imagines primarily to remain undiscovered as long as possible. As casually mentioned earlier, “as long as possible” in this case worked out to be 14+ years … no mean feat. 

Obfuscation, Inc.

One of the most complex mechanisms employed in the Equation Group platform was the creation of an encrypted virtual file system to hold the malware modules. Hold onto something here: we are about to see why Team Kaspersky has so much admiration for the Equation Gang. The aforementioned encrypted virtual file system? It was hidden inside the Windows Registry.

Read those last two sentences again: the malware code was NOT hidden in co-opted DLLs or anywhere else on the NTFS file system, where a particularly clever anti-malware scanner might stumble across it. The malware code was distributed across the Windows Registry, amid the incomprehensible hive of keys and values. 

Mind the Gap

One of the fundamental tenets of high-level computer security is that the most secretive, sensitive machines are physically not connected to the main (black, unclassified) network. These machines may be connected via their own (red, classified) network, but the two networks never, EVER connect to each other. This truly physical isolation is called an AIR GAP, and it provides appropriately paranoid IT people with a strong sense of security.

One of the most notable accomplishments of the Equation Group platform was ‘jumping’ the air gap, using a bleeding-edge USB drive APT.

A targeted machine (on a black network) infected as described in the bullets above—under direction of the attack team—infects a USB drive using two zero-day exploits.  USB drives are the mechanism of choice for physically bridging the air gap; thanks to the pair of zero-days, the malware remained invisible on the USB even to anti-malware scanners. 

Some of these infected USB drives were, indeed, connected to a red network, where they unloaded modules of the Equation Gang platform. Machines on red network—thought to be safe from malware thanks to the air gap—were thusly infected. These infected machines would carry out the full array of cyber-espionage: keylogging, screen grabs, audio recording, network mapping, file copying, etc. “But thanks to the air gap” you’re thinking, “none of that collected G2 can be transmitted back to the C&C servers.” 

This is the strikingly clever bit: USB drives acted as bi-directional ‘couriers’ between the black and red networks. An infected machine on the red network would transfer its collected G2 (encrypted, naturally) the next time a USB drive was attached. And subsequent connection of said USB drive to an infected machine on the black network would upload the entire G2 package to the C&C server. A new set of malware modules and instructions would be downloaded onto the USB drive, awaiting physical transfer across the air gap onto the red network.

Even if the USB drives were used ONCE (black-to-red or red-to-black) and destroyed, the malware would infect brand-new USB drives upon insertion. This is cyber-espionage with an emphasis on the ESPIONAGE and full-on tradecraft.

Even More Perfect Stealth

An encrypted virtual file system sitting in the Windows Registry, where no anti-malware scanner would ever detect it; now THAT is stealthy. What could possibly provide more perfect stealth?

“Although the implementation of their malware systems is incredibly complex … there is one aspect of the Equation Group’s attack technologies that exceeds anything we have ever seen before. THIS IS THE ABILITY TO INFECT THE HARD DRIVE FIRMWARE.”
Kasperky Labs, Equation Group: Questions and Answers—February 2015

Holy shit. 

Under direction of the attack team, the VERY HIGHEST VALUE target machines were infected in a manner NEVER BEFORE imagined: reprogramming the firmware of the main hard drive (spinning or flash) and creation of a set of hidden sectors on the drive. As illustrated in the decompiled code below, hard drives from all major vendors could be compromised. 

Source: Kaspersky Labs

A machine infected with this specially targeted technique COULD NOT BE SCRUBBED. Under the most paranoid IT process, an especially sensitive machine might be re-formatted periodically and a completely fresh OS installed. A machine with compromised hard drive firmware would automatically be re-infected every time. Kaspersky observes that the only sure way to rid such a machine of the Equation Gang platform is physical destruction and replacement of the hard drive. 

So it took all of 48 hours for Carbanak to lose its status as “the most sophisticated attack the world has seen.” For everyone’s sake, let’s hope that the work of the Equation Gang is not superseded any time soon. Unfortunately, the platform—or at least its methods—could be ‘usurped’ as-is:

“Today’s top-secret programs become tomorrow’s PhD theses and the next day’s hacker tools.”
Bruce Schneier (highly respected authority on cyber-secuirity)—February 2015