The American Superman

 /  March 28, 2015, 12:54 a.m.


NSA_Equation_Group_Disk

In a January 21 article for Medium, futurist Marc Goodman wrote of the need for the US government to develop a cyber Manhattan Project. The world is being connected at a breakneck pace, one that far outstrips our ability to protect even our most basic data. “[The] goal,” he argues, “would be to create a true national cyber-defense capability, one that could detect and respond to threats against our national critical infrastructures in real time.”

As it turns out, the US may have already finished such a project. It may or may not have been helmed by the NSA, and it is definitely not defensive.

The nature of the cyber Manhattan Project is a bit different than Goodman envisions. Nuclear weapons draw their defensive power from the threat of massive violence. Their strategic value is their offensive capability. Mutually assured destruction does not depend upon the kindness of others. And it seems that we are taking the offensive route again.

At a security conference in February 2015, by the beaches in Cancun, the Moscow-based security Group Kaspersky Labs released a forty-four-page document detailing the work of the Equation Group. So called because of the highly sophisticated nature of the encryption algorithms at work in its malware programs, the Equation Group has been making and releasing programs since at least the early 2000s, and perhaps even earlier. Identified as perhaps the most technologically sophisticated and dangerous cyber threat group ever discovered, the Equation Group has over five hundred victims around the world, mostly in Iran, Russia, Pakistan, Afghanistan, India, China, Syria, and Mali.

The malware is nearly undetectable, residing in the lowest levels of the hard drives of those infected. It's capable of identifying targets, taking complete control of the computer, replicating itself, and spreading to other machines. And it is impossible to delete.

The Equation Group was discovered by Kaspersky Labs in bits and pieces. While researching a cyber-attack platform called Regin, which had been used to attack a number of governments and telecom agencies, they found a mysterious software module on a computer from the Middle East. In addition to several other malware platforms, the computer had a component of previously unknown malware. Using statistical analysis and some fairly complex research, Kaspersky was able to find more malware modules and tie them back to a central platform, which it named the EQUATIONDRUG platform. By looking at similarities in the software and methods used, they were able to tie several families of incredibly sophisticated malware back to the Equation Group.

Who is behind the malware is a bit of a mystery, but the resources and complexity of the malware led Kaspersky Labs to speculate that the group was operating with nearly unlimited resources, both in terms of money and computing power. Stopping short of actually blaming the NSA, the report laid out substantial circumstantial evidence that the Equation Group and the NSA are one and the same.

According to some of the documents that Edward Snowden released to the Intercept, the NSA has long been interested in expanding its ability to hack and control computer systems in other nations. Among the agency’s exploits is a keylogger—a program that records what keys are pressed by the user, recording passwords and other sensitive information prior to encryption—that the NSA calls GROK. Kaspersky found among Equation Group's malware a “keylogger on steroids” that is also called GROK. Though the Equation Group's keylogger is more advanced, both the NSA and the Equation Group frequently build upon the foundations of their old platforms, adding functionality and more sophistication.

The NSA has, of course, refused to comment, but an anonymous former NSA employee told Reuters that the NSA had been working on technology that was identical to many of the programs unearthed by Kaspersky.

The specifics of the different malwares are complicated, but the capabilities developed by the Equation Group amount to the cyber equivalent of the Manhattan project—the most sophisticated offensive cyber weapons yet created. The Equation Group uses a number of different viruses to infect its targets. Depending on the program, once infected, the software checks to see if the computer is a desired target, often by checking where in the world the computer is located. Once the software determines whether the computer is a valid target, the code either deletes itself, or carries out its program, allowing the attacker to gain control of the information on the computer and the computer network.

The Equation Group’s most advanced malware, dubbed GRAYFISH, operates in ways that Kaspersky Labs says have never been seen before. Once the GRAYFISH module is downloaded, either by USB or by the traditional virus delivery system—visiting certain websites—GRAYFISH rewrites the firmware of the hard drive, something not seen before.

The firmware—the software that controls the electronics that the rest of the computer is stored on—is very low level, and controls how the computer turns on. All code has to go through the operating system, which itself is booted by the firmware. By rewriting the firmware, which is put on the hard drive by its manufacturer, the malware controls the entire operating system. Because the code has rewritten the hard drive firmware, there is no way to delete it. The only way to get rid of GRAYFISH is to physically destroy the hard drive.

What makes this so technologically impressive is that the code has to be rewritten to exploit every different brand of hard drive. Kaspersky Labs discovered that GRAYFISH has code to infect twelve different hard drive brands, which means that the Equation Group developed twelve unique exploits. As Wired writer Kim Zetter writes, this gives the Equation Group the ability to hide small bits of information, such as passwords, beyond the reach of anti-viruses. If the information on the computer is encrypted, then they can store the unencrypted version outside the reach of encryption software.

No current computer is safe. Computers can remain uninfected only if they are not targeted, or if they are outfitted with new hard drives with protected firmware, which first requires designing new hard drives, and then installing them in all computers.

The Equation Group revelations raise a number of troubling concerns. Private space is disappearing, with the US and the NSA effectively declaring war against the world’s encryption standards. The US has taken on the creed that national security trumps the rights and property of peoples in other nations. The list of victims extends beyond extremists and people who can be credibly labeled as terrorists. The technology for encrypting and for stealing secrets is so new that the international community has little understanding of the ramifications, but the NSA isn’t afraid of trailblazing. But whether American citizens will tolerate the new Manhattan Project has yet to be seen.


Will Craft


Search

None