NEWS ANALYSIS: Experts from Kaspersky Lab say their analysis of the Equation Group’s malware confirms its state-sponsored origins, but with an unexpected weakness.
An analysis of the Equation Group malware that Kaspersky Lab revealed earlier this year may be the most advanced malware the company has ever seen, according to one of the lab’s top security technology experts.
The expert, Costin Raiu, Director of Kaspersky’s Global Research and Analysis team, said that the analysis also confirms suspicions that the group that created it is state-sponsored.
The telltale signs include date stamps that show that major development steps, such as compiling the code, took place between 9 a.m. and 5 p.m. Eastern Standard Time, and that those steps were only carried out on weekdays, something typical of government employees.
He also said that the level of sophistication, including the ability to use plug-ins, indicates capabilities far beyond those of cyber-criminals. Raiu said that his team kept track of the exact days that those steps took place, but that his team didn’t check to see if they avoided public holidays.
But there were a few new insights that the Kaspersky team found that show that there’s still a lot to learn about the Equation malware that’s sometimes called “EquationDrug.”
One is that the team has identified 35 plug-in modules for the malware so far, but the numbering scheme for each malware plug-in indicates that at least 101 plug-ins have been created. Raiu also said that the malware’s unique ability to infect the firmware of hard disk drives works with most brands and types of hard disks currently in the market, as well as with solid state drives.
However, there are limits to what the Equation malware can do. Raiu said that it does not appear that the malware can infect virtual storage or virtualized drives and it does not appear to be able to infect drives that are part of a RAID array. He added that this makes it appear that servers, and thus data centers, are not the target of the Equation malware. Instead, he said that it appears to be aimed at stand-alone computers or laptops.
Raiu also noted that the Equation malware may have bumped up against new technology. “Most modern hard drives from top brands around the world have some additional security measures and they check to see if the firmware is original,” he said. “If it’s not, they don’t allow the firmware to work.”
Additional research on the Equation malware by Symantec describes exactly how the malware functions. According to a statement in the company’s Security Response blog, an attack by the Equation malware takes place in stages.