The hacking collective, dubbed "Equation Group," must have been sponsored by a nation-state with vast resources in order to operate, Kaspersky analysts assert.
The strongest evidence connecting the NSA to Equation Group is the string "BACKSNARF_AB25," which was embedded in a sample of the Equation Group cyberespionage platform known as "EquationDrug."
"BACKSNARF," according to page 19 of an undated NSA presentation that was obtained by Ars Technica, was the name of a project tied to the NSA's Tailored Access Operations.
"While the presence of the 'BACKSNARF' artifact isn't conclusive proof it was part of the NSA project by that name, the chances that there were two unrelated projects with nation-state funding seems infinitesimally small," Dan Gooding of Ars Technica points out.
A new report published Wednesday by Kaspersky notes that timestamps stored inside the Equation Group malware showed that hackers almost exclusively worked Monday through Friday. Assuming they worked from 8 a.m. to 5 p.m., employees likely were working in the eastern part of the US.
It is unlikely the timestamps were intentionally manipulated, the report states, since the years listed in various executable files match the availability of computer platforms the files ran on.
Last month, Kaspersky revealed details about an Equation Group operation the led to some 500 infections in at least 30 countries, including Russia, Iran, Pakistan, Afghanistan, India and Syria. The operation targeted banks, foreign governments, embassies, energy and infrastructure, media, telecommunications sectors and Islamist groups.
While those revelations triggered media reports about the US National Security Agency being behind the espionage, Kaspersky has stopped short of ever saying Equation Group was the handiwork of the NSA.
Comment: Those Russians are smart cookies. It is certainly implied, is it not?
Another connection is the similarity between Equation Group's interdiction and that of the NSA, as evidenced in documents leaked by NSA whistleblower Edward Snowden.
According to Gooding, the Equation Group, regardless of what agency it is operating under, is "hands down the world's most advanced hacking operation ever to come to light."
…Kaspersky has identified are two modules that can reprogram more than a dozen different hard drive brands, including big names like Maxtor, Seagate, Hitachi, and Toshiba, basically rewriting the hard drive's operating system. This trick puts the "p" in APT (advanced persistent threat), by allowing the malware to go undetected by antivirus and to remain alive even if the drive is reformatted or the operating system gets reinstalled.
…the module that infects the hard drive firmware is "state of the art."
"We're sure there's some Linux malware, too … and probably a lot of other stuff we have not found yet."
[Link]
Windows’ underlying DOS has always been vulnerable, and now Linux is vulnerable, I doubt the NSA would leave out Apple. An HDD with infected firmware would need the firmware rewritten or the drive destroyed. Not detected by scanners, you wouldn’t know the HDD firmware was corrupt and needed replacing.