News

Leaked docs suggest NSA and CIA behind Equation cyberespionage group

CIA documents leaked by WikiLeaks suggests tools attributed to the Equation group originated from both the NSA and CIA

|

Romania Correspondent, IDG News Service |

Hackers learn from malware research how to better hide their attacks.
Credit: Michael Kan
More like this

Purported CIA documents leaked Tuesday appear to confirm that the U.S. National Security Agency and one of CIA's own divisions were responsible for the malware tools and operations attributed to a group that security researchers have dubbed the Equation.

The Equation's cyberespionage activities were documented in February 2015 by researchers from antivirus vendor Kaspersky Lab. It is widely considered to be the most advanced cyberespionage group in the world based on the sophistication of its tools and the length of its operations, some possibly dating as far back as 1996.

From the start, the tools and techniques used by the Equation bore a striking similarity to those described in secret documents leaked in 2013 by former NSA contractor Edward Snowden. This relationship was further strengthened by the similarity between various code names found in the Equation malware and those in the NSA files.

The new CIA documents leaked by WikiLeaks include a 2015 discussion between members of the agency's Technical Advisory Council following Kaspersky's analysis of the Equation group.

The discussion focused mostly on what the Equation did wrong that allowed Kaspersky's researchers to establish relationships between various tools and link them to the group. The goal was for the CIA's own cyber teams to learn from those mistakes and avoid them in their own tools and operations.

The Equation's errors identified during the discussion included the use of custom cryptographic implementations instead of relying on standard libraries like OpenSSL or Microsoft's CryptoAPI, leaving identifying strings in the program database (PDB), the use of unique mutexes, and the reuse of exploits.

"The 'custom' crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems," one team member said during the discussion. "In the past, there were crypto issues where people used 0 [initialization vectors] and other miss-configurations. As a result, the NSA crypto guys blessed one library as the correct implementation and everyone was told to use that."

"The Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools (mostly TAO some IOC)," another member wrote.

TAO is a reference to the NSA's Office of Tailored Access Operations, a large division that specializes in the creation of hacking tools for infiltrating foreign computer systems. Meanwhile, IOC refers to the Information Operations Center, a CIA division that, according to a leaked 2013 budget justification for intelligence agencies, has shifted focus from counterterrorism to cyberespionage in recent years.

The CIA analysis of Kaspersky's Equation report highlights how hackers can learn to better hide their attacks based on research published by security companies. This raises the question of whether security vendors and independent researchers should be so forthcoming with the methods they use to establish links between malware tools.

“It is a proven fact that attackers learn from public analyses, and this is something that all researchers consider when publishing material," researchers from Kaspersky Lab said in an emailed statement. "It is a calculated risk. Of course, not all companies choose to disclose all their findings. Some companies prefer to keep some of the details for private reports, or not to create a report at all."

"We believe that, going forward, a balance will be achieved between the amount of publicly disclosed information (just enough to highlight the risks and raise awareness) and the amount of information kept private (to allow for the discovery of future attacks)," the Kaspersky researchers said.

According to them, this new information ties into the escalating cyber arms race that has been going on since 2012 and shows no signs of slowing down.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Related:

Lucian Constantin is an IDG News Service correspondent. He writes about information security, privacy, and data protection.

Download the State of the CIO 2016 report
You Might Like
Popular On CIO.com
img 0827
IDG Contributor Network
Amazon Echo vs. Google Home: The choice is obvious

On the surface, it may seem like a difficult choice between Alexa and Google Home, but once you look at...

apple watch series 2 workout
Apple Watch Series 2 review: A faster, brighter fitness machine

Apple's second-generation watch doubles down on fitness with GPS, water-resistance, a dual-core...

fitbit flex 2 family bangle pendant
3 reasons to buy Fitbit Flex 2 (and 3 reasons not to)

Fitbit's latest tracker is an upgraded version of its entry-level Flex wearable. Flex 2 is a quality...

BrandPosts
Learn more
Resources
Featured Stories
digital leadership gap primary
How to close the digital leadership gap

A new report by Deloitte identifies what it says is a serious shortfall of digital leadership in...

lake management primary
Teradata sends data lake platform to open source

The Kylo data lake management software platform, available via the Apache 2.0 license, aims to help...

negotiating contracts ts
How CRM buyers can negotiate the best deal

Avoid the risks of CRM software lock-in by choosing wisely the first time. Download this free IBISWorld...

sprint disappear primary
Is Sprint about to disappear?

SoftBank wants to merge Sprint with T-Mobile or Comcast. Here’s why that’s a terrible idea.