New Evidence Strengthens NSA Ties To Equation Group Malware

An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."

Re:Hahahahaha. What a joke.

> Do me a favour. Spooks putting strings identifying their top secret programme by name [...]

The alternative is thrilling too: malware authors knowing the names of top-secret NSA programmes (I assume this malware was hacked together pre-Snowden)? Hmmm.

I don't know the name of the razor to apply here. But it's a hell of a razor, for sure.

Re:A few embedded strings and timestamps?

[StikyPad]

What the summary said was that the timestamps are consistent with an 8-5 day in those time zones, not that the timestamps came from those timezones. Timestamps aren't UTC anything -- they're milliseconds since epoch (generally), and the OS converts on the fly when displaying. I can't speak for the NSA, but core hours are 10-3 for many government workers, and many people go in to the office early to beat traffic. Also, the NSA is under the DoD, and DoD tends to get an early start. All of that is consistent with what one would expect to see.

And to address the GP, the odds of finding a string that matches a codeword, especially a unique codeword, are very slim. Probably millions to one. You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code. That's the most convincing evidence -- the timestamp stuff is just icing.

I expect to see future exploits released with standardized timestamps and obfuscated strings.

Re:Scenario

[StikyPad]

How much do you think they pay me?

You can look at the careers on their website. Exploit Engineer pays $64,923 to $96,931. I'm sure that matches up with a GS payscale number somewhere, but I'm too lazy to map it.

How much could I make selling the stuff I code at the NSA to various "businesses".

Not much, or at least not for very long. You can bet your ass you sign an ironclad NDA, and if anyone's going to know whether you violated that, it's the NSA.

Does anyone in that position believe in nationalism?

Most of them, yes. Employment is actually pretty competitive, and people don't become government employees for the money. Job security, maybe, but the money is usually below average.

Re:Kaspersky Lab

[Noryungi]

I am not too worried about Putin.

What I am worried about is this: the Equation malware was used years ago. We know these guys are good at what they do. Very good.

NSA has been working on that stuff since the 1950s -- that's 65 years of experience, folks, and they have been big computer users since day ONE -- heck even before day one, if you count Bletchley Park and stuff like the cracking of Red, Purple and JN cyphers.

So, we are talking about an organization that has huge experience in cracking systems and crypto, and the enormous budget to support its activities.

So: what have they been producing between Equation and, let's say, Stuxnet, and today?

Equation was -- from what I understand -- fairly Windows specific. What have they got now? The stuff coming out of all these not-so-funny super top secret projects?

Here is a hint: combine stuff like Heartbleed (OpenSSL), ShellShock, stuff that lingered in code bases for decades before being found out, maybe other stuff such as a few rumors about OpenSSH backdoors (remember those?) and the "let me install myself cosily in your HDD BIOS where you cannot dislodge me" capabilities of Equation and, presto! No one is safe from the prying eyes of NSA anymore.

That's the kind of things that makes you lose sleep at night. At least, I do lose sleep over it. Georges Orwell had nothing on these guys.

What if you are only running open-source? Vulnerable. Audited open-source? They have 100 times the manpower of the best programming teams out there. Heck, they may even have inflitrated these projects in the first place!

And don't forget one last things: the guys are masters of misdirection. NSA and GCHQ and everyone in between said for years that Enigma was safe to use, even after the nd of WWII. It's extremely simple for these people to say (unofficially, of course) "Drats! This guy is using open source! Foiled again! Damn you open source programmers!! Damn you all to hell!!!", all the while exploiting Linux/BSD machines as easily as "1-2-3". And we know they like subtle.

So, here is the question: what do they have, right now, that we don't know about? Think about that for a second.

Re:Scenario

[Noryungi]

My dear friend, you do not understand how these things work.

You work at NSA, you are always using the latest, newest, biggest, baddest, sweetest technology ever devised by men. You literally have computer companies begging you to buy their stuff. For a lot of these people (heck, that may even include me) that is motivation enough.

AND, if you are discreet about it, you can even be privy to potentially very lucrative a lot of state secrets. Or even personal secrets, who knows?. Obviously, if Snowden gave us something, it is the knowledge that NSA is not very good at information compartmentalization...

But here is the kicker: if you ever decide to leave the NSA, for retirement or otherwise, the private sector (at least the US private sector) will greet you with open arms and pay you a sh*tload of money to work as a consultant or senior manager. And we are talking about a SH*TLOAD of money, conflict of interests be damned. You are now one of the big boys, kid, enjoy your (semi-)retirement.

No need to betray US interests, no need to reveal super secret information: you are NSA. You are above the law. Just leave your morals at the door, please.

Re:A few embedded strings and timestamps?

[Gavagai80]

I mean, are the only software developers who work normal business hours on normal workdays in the Eastern timezone all working for the NSA?

Very few regular businesses in the eastern USA hire hackers to attack others, so most hackers have much more varied time allocations reflecting that they do it after work / on weekends or are unemployed. The hours strongly suggest employees, so what other employer seems likely to you?

Re:A few embedded strings and timestamps?

[Gavagai80]

I'd expect the odds of the NSA accidentally embedding the same strings in multiple exploits to be around 100%. They're humans, they're lazy, they copy stuff and they want readable code. Why wouldn't they?

Re:Let's roll our own Time Zones too!

[Minwee]

"[...] modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones"

When writing an article of this sort your goal should be to _explain your position_, not to create a math problem which, if solved in the correct manner, suggests what your position could be. If the authors wanted to point to a 7-3 work day in UTC-5, they should have simply said so instead of going out of their way to state something quite different.

It's not hard.

Here, it could look something like this:

"[...] modification timestamps were almost always consistent with a 7-3 workday in the US Eastern timezone (UTC-5), allowing for standard Daylight Savings changes as observed in Virginia, DC and Maryland"

It should not look like this:

"[...] modification timestamps were almost always consistent with an 8 PM - 5 AM workday in the UTC+9 time zone, showing that this was clearly the work of North Koreans with insomnia"

Do you see the difference?