Advanced Cybercrime Gang ‘Equation’ Closely Linked to NSA

Malware Targeted Foreign Industry, Governments

Over the weekend, it was reported that the NSA was scrambling to get ready for a new “leak” about their operations, which was uncovered by a “non-US” cybersecurity company. Today, Russian-based Kaspersky Labs unveiled a huge cache of information about a cybercriminal gang they are calling “Equation,” and which appears to be tightly connected to the NSA itself.

Kaspersky Labs released a 44-page report on Equation (pdf), which describes the group’s suite of malware, used to steal information from industries, corporations, governments, and even some individuals, as the most advanced on the planet.

Indeed, Equation’s malware is so successful and so hard to detect, that Kaspersky believes they’ve been in existence since 2001, or possibly as far back as 1996, and they are only now getting a glimpse into their existence.

Equation’s suite is said to be extremely modular, with initial Trojans being installed simply to see if the targeted computer’s user might be of interest, and if so depositing payloads of highly advanced software into the operation system, which is almost impossible to detect.

Though Kaspersky Labs declined to conclusively link them to the NSA in the report, the connection is impossible to deny, as the early Equation worms appear to be the basis for the Stuxnet worm, which US officials have openly admitted was government handiwork.

Equation’s delivery system also appears to have relied on it being quasi-governmental in some cases, intercepting shipments of commercial software being sent to potential targets of interest and replacing the installation CDs with infected alternatives. Kaspersky had examples of infected Oracle software CDs that were apparently created by Equation and delivered to customers instead of the actual CDs.

The malware identified infects Windows systems, and appears to successfully target all known modern versions of the Microsoft operating system. The report also notes some of the malware makes reference to Macintosh OSX versions of the malware, though none has yet been conclusively seen in the wild.

The malware embeds itself within the operating system, the registry, and into the firmware of the physical hard drives themselves, making it virtually impossible to detect and similarly difficult to remove. The use of hard drive firmware as a method of attack by the NSA had been previously reported, but the sophistication of the attacks are surprising many.

Equation got access not only to publicly known ATA commands, but also somehow vendor-specific ones for literally every major hard drive vendor on the planet. Once the hard drives have been compromised in this manner, the malware is impossible to remove: the only way to get rid of it is to remove and destroy the hard drive.

Author: Jason Ditz

Jason Ditz is Senior Editor for He has 20 years of experience in foreign policy research and his work has appeared in The American Conservative, Responsible Statecraft, Forbes, Toronto Star, Minneapolis Star-Tribune, Providence Journal, Washington Times, and the Detroit Free Press.