International News
See other International News Articles
Title: Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet
Source:
[None]
URL Source: http://www.wired.com/2015/02/kapersky-discovers-equation-group/
Published: Feb 16, 2015
Author: Kim Zetter
Post Date: 2015-02-16 15:40:54 by A K A Stone
Keywords: None
Views: 3173
Comments: 13
CANCUN, Mexico—The last two years have been filled with revelations about NSA surveillance activities and the sophisticated spy tools the agency uses to take control of everything from individual systems to entire networks. Now it looks like researchers at Kaspersky Lab may have uncovered some of these NSA tools in the wild on customer machines, providing an extensive new look at the spy agency’s technical capabilities. Among the tools uncovered is a worm that appears to have direct connections to Stuxnet, the digital weapon that was launched repeatedly against centrifuges in Iran beginning in late 2007 in order to sabotage them. In fact, researchers say the newly uncovered worm may have served as a kind of test run for Stuxnet, allowing the attackers to map a way to targeted machines in Iran that were air-gapped from the internet. For nearly a year, the researchers have been gradually collecting components that belong to several highly sophisticated digital spy platforms that they say have been in use and development since 2001, possibly even as early as 1996, based on when some command servers for the malware were registered. They say the suite of surveillance platforms, which they call EquationLaser, EquationDrug and GrayFish, make this the most complex and sophisticated spy system uncovered to date, surpassing even the recently exposed Regin platform believed to have been created by Britain’s GCHQ spy agency and used to infiltrate computers belonging to the European Union and a Belgian telecom called Belgacom, among others. The new platforms, which appear to have been developed in succession with each one surpassing the previous in sophistication, can give the attackers complete and persistent control of infected systems for years, allowing them to siphon data and monitor activities while using complex encryption schemes and other sophisticated methods to avoid detection. The platforms also include an innovative module, the likes of which Kaspersky has never seen before, that re-flashes or reprograms a hard drive’s firmware with malicious code to turn the computer into a slave of the attackers. The researchers, who gave WIRED an advance look at their findings and spoke about them today at the Kaspersky Security Analyst Summit in Mexico, have dubbed the attackers the Equation Group and consider them “the most advanced threat actor” they’ve seen to date. The researchers have published an initial paper on their findings and plan to publish more technical details over the next few days, but there’s still a lot they don’t know about the Equation Group’s activities. “As we uncover more of these cyber espionage operations we realize how little we understand about the true capabilities of these threat actors,” Costin Raiu, head of Kaspersky’s Global Research and Analysis Team told WIRED. NSA Connections? Although the researchers have no solid evidence that the NSA is behind the tools and decline to make any attribution to that effect, there is circumstantial evidence that points to this conclusion. A keyword—GROK—found in a keylogger component appears in an NSA spy tool catalog leaked to journalists in 2013. The 53-page document details—with pictures, diagrams and secret codenames—an array of complex devices and capabilities available to intelligence operatives. The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions—they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER. Other evidence possibly pointing to the NSA is the fact that five victims in Iran who were infected with Equation Group components were also key victims of Stuxnet, which was reportedly created and launched by the U.S. and Israel. Kaspersky wouldn’t identify the Iranian victims hit by the Equation tools, but the five key Stuxnet victims have been previously identified as five companies in Iran, all contractors in the business of building and installing industrial control systems for various clients. Stuxnet targeted industrial control systems used to control centrifuges at a uranium- enrichment plant near Natanz, Iran. The companies—Neda Industrial Group, Kala Electric, Behpajooh, CGJ (believed to be Control Gostar Jahed) and Foolad Technic—were infected with Stuxnet in the hope that contractors would carry it into the enrichment plant on an infected USB stick. This link between the Equation Group and Stuxnet raises the possibility that the Equation tools were part of the Stuxnet attack, perhaps to gather intelligence for it. But the newly uncovered worm created by the Equation Group, which the researchers are calling Fanny after the name of one of its files, has an equally intriguing connection to Stuxnet. It uses two of the same zero-day exploits that Stuxnet used, including the infamous .LNK zero-day exploit that helped Stuxnet spread to air-gapped machines at Natanz—machines that aren’t connected to the internet. The .LNK exploit in Fanny has a dual purpose—it allows attackers to send code to air- gapped machines via an infected USB stick but also lets them surreptitiously collect intelligence about these systems and transmit it back to the attackers. Fanny does this by storing the intelligence in a hidden file on the USB stick; when the stick is then inserted into a machine connected to the internet, the data intelligence gets transferred to the attackers. EquationDrug also makes use of the .LNK exploit. A component called SF loads it onto USB sticks along with a trojan to infect machines. The other zero-day Fanny uses is an exploit that Stuxnet used to gain escalated privileges on machines in order to install itself seamlessly. Fanny may have been used initially as proof-of-concept to test the viability of getting Stuxnet onto air-gapped machines in Iran. Or it could have been used for a different operation entirely, and its developers simply shared the exploits with the Stuxnet crew. The vast majority of Fanny infections detected so far are in Pakistan. Kaspersky has found no infections in Iran. This suggests Fanny was likely created for a different operation. Pakistan’s nuclear weapons program, like Iran’s, has long been a U.S. concern. The centrifuge designs used in Iran’s uranium-enrichment plant at Natanz came from Pakistan—a Pakistani scientist helped jumpstart Iran’s nuclear program with them. Information about the NSA’s black budget, leaked by Snowden to the Washington Post in 2013, shows that Pakistan’s nuclear program, and the security of its nuclear weapons, is a huge concern to U.S. intelligence and there is “intense focus” on gaining more information about it. “No other nation draws as much scrutiny across so many categories of national security concern,” the Post wrote in a story about the budget. Kaspersky found only one version of Fanny. It arrived in their virus collection system in December 2008 but went unnoticed in their archive until last year. Raiu doesn’t konw where the Fanny file came from—possibly another anti-virus firm’s shared collection.
Raiu says he thinks Fanny was an early experiment to test the viability of using self-replicating code to spread malware to air-gapped machines and was only later added to Stuxnet when the method proved a success. Notably, the first version of Stuxnet, believed to have been unleashed in late 2007, didn’t use zero-day exploits to spread; instead it spread by infecting the Step 7 project files used to program control systems at Natanz. Fanny was subsequently compiled in July 2008 with the two zero-day exploits. When the next version of Stuxnet was unleashed in 2009, the privilege-escalation exploit from Fanny was added to it. Then in 2010, the .LNK exploit from Fanny was added to a version of Stuxnet unleashed that March and April.
Post Comment Private Reply Ignore Thread
Top • Page Up • Full Thread • Page Down • Bottom/Latest
#1. To: A K A Stone (#0)
The modification of hard drive firmware to create storage that can't be detected or erased is scary.
Wouldn't you notice you had lost some space or something?
Yesterday I had the following exchange with VxH.. --- He asked me : --- I don't have clue what you're point is, and don't care. -- Get lost. --- tpaine I didn't answer then, and I still can't figure out what the hell his (VhX) point was. Thanks for posting this article about Stuxnet, -- maybe we can get VhX to explain why Stuxnet has any connection to LF...
Internet Basics Lesson 4: How to Use a Search Engine to Search the Internet
Typical BS response from our resident multi id trying dirtbag. Hey Gatlin, he said he didnt care, you smarmy little jerk.
Thank you, Capt Pitifully Obvious...
Kaspersky is a Russian company,
“Let no one mourn that he has fallen again and again; for forgiveness has risen, from the grave.” John Chrysostom www.evidenceforJesusChrist.org
Which would make them better at removing NSA spyware as opposed to say an American company.
American anti-virus software is higher rated.
“Let no one mourn that he has fallen again and again; for forgiveness has risen, from the grave.” John Chrysostom www.evidenceforJesusChrist.org
Yeah. But who knows if there isn't some secret order for American companies to not touch some stuff.
Any malware that could create an undetectable, unwipable partition could also report to the OS a bogus size. You might test a drive by deleting all partitions and then creating a new one, which wouldn't be as large as the OS thinks it is. Then write to it and if it runs out of space before it should, it might be compromised. But hard drive firmware already hides bad sectors, so maybe the test wouldn't be conclusive.
Maybe those Russians in your article who claimed to discover this malware are just Wired subscribers.
This is not the point and you know it well.
#2. To: Abcdefg (#1)
#3. To: A K A Stone, Y'ALL, VhX (#0)
Did StuxNet work?
Yes or No -- Did StuxNet work? --- C'mon you can do it. Clean the drool off the keyboard and type "Y" or "N".
#4. To: tpaine (#3)
#5. To: Gatlin (#4)
#6. To: Gatlin (#4)
#7. To: A K A Stone (#0)
#8. To: GarySpFC (#7)
Kaspersky is a Russian company,
#9. To: A K A Stone (#8)
Which would make them better at removing NSA spyware as opposed to say an American company.
#10. To: GarySpFC (#9)
American anti-virus software is higher rated.
#11. To: A K A Stone (#2)
Wouldn't you notice you had lost some space or something?
#12. To: GeorgiaConservative (#0)
#13. To: GarySpFC (#9)
American anti-virus software is higher rated.
Top • Page Up • Full Thread • Page Down • Bottom/Latest
[Home] [Headlines] [Latest Articles] [Latest Comments] [Post] [Mail] [Sign-in] [Setup] [Help] [Register]