RESEARCH BLOG

The Equation Infection

The Equation Infection

 

With the NSA leak of documents by Edward Snowden, a wave of information exposure has started on the scope of monitoring the activities of other intelligence agencies around the world. From time to time more information is exposed about the depth of this monitoring activity and on the other hand, how much we are exposed to more basic activity of our modern computerized world.

 

 

 33

 

On February 16, a new spyware type malware was discovered, which is hidden deep inside the depths of hard disks such as Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc., Samsung Electronics Ltd. and others.

 

The spyware seems to be able to monitor the activity of most PCs around the World, including computers in a wide range of sectors such as governments and military, corporate communications and energy, banking, media, nuclear research and extremists in at least 30 countries, led by Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria and Algeria.

 

While we still cannot point the finger at the state behind this cyber espionage operation, the spyware seems to be well related to another cyber espionage project named Stuxnet that back in 2010 used to hit Iran’s nuclear facilities.

 

 

 34

 

The creators of this new project were given the name “The Equation group”, a highly secret group of computer espionage in which they used a variety of means to spread spyware including by hacking into extremists remote sites, infecting USB devices and CDs, alongside the development of components with backdoor, worm and spy capabilities. One component is a worm named ‘Fanny’ that is able to spread itself by infecting USB drives with a .LNK file that in turn exploits a Zero-Day vulnerability that launches an infection executable to infect  the victim’s computer.

The spyware then steals information from the computer by copying it onto any USB drive connected to the computer, hence a spy could simply plug in a USB drive and get the information instantly.

 

The project’s Zero-Day Exploits were used within the Stuxnet project as well, which could indicate a connection between the two projects, as well as the possibility that there may have been a use of the ‘Fanny’ worm in order to spread and find targets for Stuxnet as well.

 

 

 

 35

 

 

This project is a technological breakthrough that allows the insertion of malicious software into hardware components, so that the malicious code starts immediately with the computer turn on stage.

In addition to gathering of intelligence, this technology allows the re-infection of the computer again and again. However, research reveals that despite the general infection potential, the target computers were carefully selected by this espionage operation.