New Evidence Strengthens NSA Ties To Equation Group Malware

An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."

A few embedded strings and timestamps?

[JoeyRox]

Seems like very weak evidence to me, and certainly not a "smoking gun" claimed in the referenced article.

Scenario

[koan]

Hypothetical Scenario: I work as a coder for the NSA, I work with an extremely talented group, we code the latest, most aggressive malware available.

We make the Russians look like Girl Scouts.

How much do you think they pay me?

How much could I make selling the stuff I code at the NSA to various "businesses".

Does anyone in that position believe in nationalism?

Re:Scenario

Does anyone in that position believe in nationalism?

If I didn't believe that most of them do, I wouldn't be so frightened.

There's no one capable of doing more evil than those who sincerely believe that they're doing good.