How "Omnipotent" Hackers Tied To NSA Hid For 14 Years and Were Found At Last

Advocatus Diaboli writes The money and time required to develop the Equation Group malware, the technological breakthroughs the operation accomplished, and the interdictions performed against targets leave little doubt that the operation was sponsored by a nation-state with nearly unlimited resources to dedicate to the project. The countries that were and weren't targeted, the ties to Stuxnet and Flame, and the Grok artifact found inside the Equation Group keylogger strongly support the theory the NSA or a related US agency is the responsible party, but so far Kaspersky has declined to name a culprit. NSA officials didn't respond to an e-mail seeking comment for this story. What is safe to say is that the unearthing of the Equation Group is a seminal finding in the fields of computer and national security, as important, or possibly more so, than the revelations about Stuxnet.

Us vs them

[halivar]

We hack Iran to prevent them from releasing a bomb.

NK hacks us to prevent us from also releasing a bomb, IYKWIMAITYD.

Re:Us vs them

Is it also the first movie you've ever seen ?

Re:Us vs them

[halivar]

No, he's also seen Gigli, Ishtar, and Domino.

Re:Us vs them

[MightyMartian]

Let's face it. If you're a Michael Bay fan, The Interview probably would come off as high art.

Re:Us vs them

[MightyMartian]

I didn't mean to upset the Michael Bay fans. I know how they all think Pearl Harbor is the highest achievement in cinema history, apart from Transformers: Revenge of the Fallen.

Cover locations.

[Kaenneth]

There is a building near Microsoft labeled "Affiliated Associations of America" which sounds shady as fuck.

Re:Cover locations.

[irrational_design]

Wow, I found an Affiliated Associations of America. If the following isn't the biggest piece of business jargon that doesn't say anything, I don't know what is.

Welcome to the AAOA benefits website. Through a cooperative platform, we developed a benefit program to enhance the value of membership for your Membership Organization or Association. AAOA provides a turnkey member benefit solution that offers companies and their employees an opportunity to reduce the costs of doing business. Take advantage of our group purchasing power and receive full access to exclusive member discounts and pricing. Look around the site and let us know if you have any questions or would like to discuss membership. With AAOA, membership doesn't cost, it pays!

Re:Cover locations.

[St.Creed]

It's probably more a service for running associations.

Suppose you're a grocery and you would like to implement a membership card. Now you have to deal with lost cards, signups, people wanting to know how many loyality points they have, decide how many points to give for which purchase, what to give as a reward for points spent, etc. etc.

This type of company takes it all out of your hands, provides a pre-packaged membership club with set rewards, tiers, perks, whatever, and puts your brandname on top of the website, the loyalty card, and the brochures. The grocery probably pays a price per customer that's lower than when they would run it themselves, and the affiliate organisation has scale, so can run things cheaper while providing better service than a single company can do.

Re:Cover locations.

[Neo-Rio-101]

The syndicated accumulated affiliated aggregated associated conglomerated corporated assembly union group organization society company of the United States of America

*Pause for fanfare*

Re:Cover locations.

[meta-monkey]

Also, the 8 story, black glass building with the barbed wire fences and security guards labeled "Flower Shop."

Thinking of keyloggers,

[invictusvoyd]

Stephen Hawkings computer cannot be infected by a keylogger

Re:Thinking of keyloggers,

[Qzukk]

Now I wonder if tabs work in passwords on *nix, if I set my username to be pwd and my password to be cd ../../<TAB><TAB>f<TAB> how would anyone figure that out from a keylog dump?

How is this a good thing?

[stevedog]

I'm not sure how I see that this is a good thing. I know it's fun to hate on the intelligence community (I've done it too), especially when we feel like our own rights have been infringed, but are we really saying that we are in favor of anything which hampers the West's ability to take clandestine actions against other states? After all the complaining we do about Congress and all the bureaucracy that comes along with anything usually related to government, we are then saying that absolutely every hostile action should be subject to the same oversight that produces exactly that molasses-like barrier to actual results?

It is without question that, at times, the intelligence community must have overstepped its bounds, as any entity with that much power would on occasion. Maybe in their case that happens far more often than it should. But does that really mean they should have no real power at all?

Re:How is this a good thing?

[Kazoo+the+Clown]

So everyone should just leave their doors wide open so the cops never have to break a door down to nab a crook? Yeah, right. If the NSA can hack into our computers, the bad guys can too. The best way to improve cybersecurity is to fix all the exploitable holes they've been using. But instead of helping us to secure our systems they've left them vulnerable because they're too lazy to pound the pavement, get individual warrants and plant bugs. Having every computer system in the world remain vulnerable made their job easier, so they chose that route, which also made the bad guys efforts easier too. But hey, it's job security, eh?

Re:How is this a good thing?

How do you know they don't have a warrant? It seems like using md5 and sha1 hashes to ensure they are only targeting specific individuals smells like somebody with very specific instructions and stiff repercussions. Otherwise it would be easier to grab a pile of people and sort them out later.

Re:How is this a good thing?

[stevedog]

No, quite the opposite. At the same time, though, what would happen if every soldier's gun had a chip that required "command approval" before any member of a squad could start firing? Sure, individual soldiers kill the wrong people, and for the wrong reasons, all the time. Hopefully, though, most of the time it is for the right reasons. And regardless, to place such restrictions on them limits their ability to safely carry out their intended purpose to such a degree that it is a problem.

The idea is that, if they *do* overstep their boundaries, then that should be handled appropriately (and that is a valid point of criticism with more domestic recent events). But to claim that the intelligence community, whose job is to move about undetected, should be telling people, "you know, these floors make it easy for someone to sneak in undetected. You should replace them with these other floors, where no one would be able to sneak in at all," would be exactly the opposite of their intended job.

They are the intelligence community, not our national cybersecurity consulting firm, and they only ought to be notifying the public if the risk to national security involved in leaving the vulnerability open is greater than the risk to national security involved in losing the intelligence that could be gained from it.

Re:How is this a good thing?

[Kazoo+the+Clown]

They are the intelligence community, not our national cybersecurity consulting firm, and they only ought to be notifying the public if the risk to national security involved in leaving the vulnerability open is greater than the risk to national security involved in losing the intelligence that could be gained from it.

What you're saying is we HAVE NO national cybersecurity entity whose purpose is to protect our infrastructure from bad actors using exactly the kinds of methods and exploits we're seeing here. And given that, we have to rely on Kaspersky to do it for us. Not only is it then a good thing, it's long overdue.

Re:How is this a good thing?

[nbauman]

I think the intelligence community has done more harm than good more often than not.

I think American foreign policy has done more harm than good to America more often than not.

For example, look at the Iraq war. We destabilized that entire region of the middle east, and left it wide open for ISIS and other militant groups.

We supported the other "color" revolutions which also deposed effective dictators who were finally out of power after we supported them for so long. In every case the hippie revolutionaries were quickly brushed aside and replaced by really tough guys.

Same with Assad in Syria. When he loses control of a region, ISIS moves in. You notice that the U.S. has stopped calling for Assad to leave.

Re:How is this a good thing?

[kylemonger]

It's a good thing because I appreciate knowing what kind of country I really live in. For most of my life I thought I lived in a country that wouldn't torture people. Later I learned that the CIA not only tortures people, they ship people to other countries so they can be tortured harder. That's one of many examples of the things they don't teach you in school that should nonetheless influence how you think and vote. I want to know the ugly truth about what's going on. It probably won't make me happy, but it might just keep me free.

Re:How is this a good thing?

[stevedog]

I wasn't arguing that everyone should be happy about this. I would imagine that, if China found out about something like this, they would be quite upset. Similarly to how upset they would be when they found a spy in their government. That doesn't mean that our intelligence community shouldn't be trying to do exactly that and, presumably, vice versa (and, I would imagine, each is both trying and succeeding).

To address your other point: I think that, if there is evidence that industrial espionage against the US has been facilitated by NSA backdoors, then the backdoors pose a greater risk than benefit to national security (assuming that the loss from such espionage is, again, greater than intelligence gained). This is all risk/benefit -- that's their job. I would be totally fine with Coke losing their formula to China if that means that they are also able to interdict intelligence that prevents a major attuU.S. (or foreign, if sufficiently significant) soil.

But, to be clear, you are right that part of this equation was the assumption that the U.S. was far superior to all other states in their ability to detect and utilize such backdoors. This has become far less true in recent years, and these policies by their risky nature do require careful constant re-evaluation. Furthermore, there is also something to be said for the inability to "revert" the changes in many of these backdoors, such as in hardware -- so if you later decide that these pose more risk to industry than benefit to national security, you're just SOL on existing backdoors. That makes it crucial that the element of longitudinal uncertainty be taken into account in the initial decisionmaking; hopefully it is, but admittedly foresight is often not government's strong suit...

The headlne and the text say different things

[Geoffrey.landis]

The headlne says different things than the text and the original article.

The headline says that they "were found"... but they weren't.

The headline that they are "tied to NSA"... but TFA says that "researchers stopped short of saying Equation Group was the handiwork of the NSA."

Re:The headlne and the text say different things

[grcumb]

The headline that they are "tied to NSA"... but TFA says that "researchers stopped short of saying Equation Group was the handiwork of the NSA."

In fairness, by 'stopped short' they mean that the Kaspersky guys essentially said, 'We're not saying it's the NSA - we just can't imagine anyone else on the face of the earth who has the resources necessary to do this kind of thing.' So yes, the report was released with a nod in the direction of the NSA.

The NSA hides surveillance software in hard drives

[Advocatus+Diaboli]

Ya.. another related post from engadget (http://www.engadget.com/2015/02/16/hard-drive-spyware/). "It's been known for a while that the NSA will intercept and bug equipment to spy on its soon-to-be owners, but the intellgency agency's techniques are apparently more clever than first thought. Security researchers at Kaspersky Lab have discovered apparently state-created spyware buried in the firmware of hard drives from big names like Seagate, Toshiba and Western Digital. When present, the code lets snoops collect data and map networks that would otherwise be inaccessible -- all they need to retrieve info is for an unwitting user to insert infected storage (such as a CD or USB drive) into an internet-connected PC. The malware also isn't sitting in regular storage, so you can't easily get rid of it or even detect it."

IYKWIMAITYD

I had never seen this acronym before but when I seen it I automatically read it as If You Know What I Mean And I Think You Do. I am shutting down my computer now and taking a break from this internet thing.

Re:Oh, by the way

RTFA. They point out that they don't have an example of actual Mac infections (they only have two for Windows over the last 15 years), but that they get regular communication from infected machines identifying as Mac OS. Kaspersky makes it clear that they believe Macs are also compromised as a result. Nothing is mentioned about Linux, but I'd be surprised if they don't have access there as well.

These Guys Are Fucking Geniuses

[darkmeridian]

You can hate the NSA all you want, but I have to tip my cap at their utter genius.

Beyond the technical similarities to the Stuxnet and Flame developers, Equation Group boasted the type of extraordinary engineering skill people have come to expect from a spy organization sponsored by the world's wealthiest nation. One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computersâ"a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.

The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.