Equation group

With operations predating at least 2001, Equation group is one of the most persistent and arguably, the most sophisticated threat groups in operation. Equation Group was discovered during Russian cyber-security firm, Kaspersky’s investigation into the Regin threat group. Kaspersky attributes Equation Group to the United States National Security Agency; however, definitive evidence of attribution remains absent. Equation group’s name derives from their employment of encryption and obfuscation strategies throughout their operations. The RC5 encryption algorithm is deployed throughout the malware and additional encryption algorithms RC6, RC4, and AES are added in other modules. Some of the attribution of the group to the United States comes from similarities between the malware platform and exploits to Stuxnet and the Gauss malware. Equation Group has globally targeted more than 500 victims in over 30 countries including Iran, Russia, Syria, Afghanistan, Kazakhstan, Belgium, Somalia, Hong Kong, Libya, United Arab Emirates, Iraq, Nigeria, Ecuador, Mexico, Malaysia, United States, Sudan, Lebanon, Palestine, France, Germany, Singapore, Qatar, Pakistan, Yemen, Mali, Switzerland, Bangladesh, South Africa, Philippines, United Kingdom, India and Brazil. Targets are affiliated with government institutions, diplomatic organizations, the telecommunication sector, aerospace firms, energy companies, nuclear research facilities, oil and gas companies, military systems, nanotechnology research facilities, Islamic activists and scholars, mass media outlets, the transportation sector, financial institutions, and companies developing cryptographic technologies. It is possible that even more infections remain undiscovered. Kaspersky estimates that Equation Group attacked 2000 targets per month in 2008; although, the estimate seems generous. Equation Group’s known C&C infrastructure spans more than 300 domains on over 100 servers.

EQUATIONGROUP