New Evidence Strengthens NSA Ties To Equation Group Malware

An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."

A few embedded strings and timestamps?

[JoeyRox]

Seems like very weak evidence to me, and certainly not a "smoking gun" claimed in the referenced article.

Re: A few embedded strings and timestamps?

[afidel]

I was about to pay the exact same thing, only Newfoundland and a few Caribbean islands are UTC -3. It was those canuckistani's I tell you.

Re:A few embedded strings and timestamps?

[StikyPad]

What the summary said was that the timestamps are consistent with an 8-5 day in those time zones, not that the timestamps came from those timezones. Timestamps aren't UTC anything -- they're milliseconds since epoch (generally), and the OS converts on the fly when displaying. I can't speak for the NSA, but core hours are 10-3 for many government workers, and many people go in to the office early to beat traffic. Also, the NSA is under the DoD, and DoD tends to get an early start. All of that is consistent with what one would expect to see.

And to address the GP, the odds of finding a string that matches a codeword, especially a unique codeword, are very slim. Probably millions to one. You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code. That's the most convincing evidence -- the timestamp stuff is just icing.

I expect to see future exploits released with standardized timestamps and obfuscated strings.

Re:A few embedded strings and timestamps?

[clonehappy]

You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code.

Ha, are you really sure about that?

Re:A few embedded strings and timestamps?

[JoeyRox]

Seems to me that the odds a hacker group would intentionally embed a codeword attributed to another hacker organization to cover his tracks are higher than the odds that the NSA accidentally embedded the same strings in multiple exploits. That's on a relative odds basis. On an absolute basis the odds for either seem rather low and thus IMO the evidence in the article is still very weak.

Re:A few embedded strings and timestamps?

[Gavagai80]

I mean, are the only software developers who work normal business hours on normal workdays in the Eastern timezone all working for the NSA?

Very few regular businesses in the eastern USA hire hackers to attack others, so most hackers have much more varied time allocations reflecting that they do it after work / on weekends or are unemployed. The hours strongly suggest employees, so what other employer seems likely to you?

Re:A few embedded strings and timestamps?

[Gavagai80]

I'd expect the odds of the NSA accidentally embedding the same strings in multiple exploits to be around 100%. They're humans, they're lazy, they copy stuff and they want readable code. Why wouldn't they?

Re:A few embedded strings and timestamps?

[Nyder]

Unless I am mistaken, the Washington, USA, area runs on UTC-5 when on Eastern Standard Time and UTC-4 when on Eastern Daylight Time; never UTC-3 unless someone is working very early hours. So it seems like weak evidence indeed!

Funny how this is weak evidence, but stuff like this is what they used to say North Korea hacked Sony.

Scenario

[koan]

Hypothetical Scenario: I work as a coder for the NSA, I work with an extremely talented group, we code the latest, most aggressive malware available.

We make the Russians look like Girl Scouts.

How much do you think they pay me?

How much could I make selling the stuff I code at the NSA to various "businesses".

Does anyone in that position believe in nationalism?

Re:Scenario

[koan]

As much as Snowden is.

Re:Scenario

[davydagger]

Assuming the NSA finds out. If your the best the NSA has, and you know all their systems because your the guy who's basicly the NSA, who exists to find you?

Snowden was the guy. He didn't get caught until he outed himself to give the leaks credibility. Of course if he was doing espionage he just would have kept is mouth shut and accepted money.

What is more likely, is that NSA contractors have jobs moonlighting for large corporations as intellegence officers an simply use NSA resources at work for their corporate patrons. If they outright gave them the code, it would make themselves fairly worthless as consultants. This matches up to teh %60 of espionage being economic. I.E. Corporations pay NSA employees for use of NSA resources. It also calls into question the technology "invented here" meme, which just might have been, "invented somewhere else, but stolen by the NSA and given to private partners".

Combine this with the fact the best "security" i.e. hackers working for the government, are for-profit blackhats that get caught and flip as part of a plea deal.

Re:Scenario

[StikyPad]

How much do you think they pay me?

You can look at the careers on their website. Exploit Engineer pays $64,923 to $96,931. I'm sure that matches up with a GS payscale number somewhere, but I'm too lazy to map it.

How much could I make selling the stuff I code at the NSA to various "businesses".

Not much, or at least not for very long. You can bet your ass you sign an ironclad NDA, and if anyone's going to know whether you violated that, it's the NSA.

Does anyone in that position believe in nationalism?

Most of them, yes. Employment is actually pretty competitive, and people don't become government employees for the money. Job security, maybe, but the money is usually below average.

Re:Scenario

[NotQuiteReal]

Actually the money is usually above average.

Re:Scenario

[Noryungi]

My dear friend, you do not understand how these things work.

You work at NSA, you are always using the latest, newest, biggest, baddest, sweetest technology ever devised by men. You literally have computer companies begging you to buy their stuff. For a lot of these people (heck, that may even include me) that is motivation enough.

AND, if you are discreet about it, you can even be privy to potentially very lucrative a lot of state secrets. Or even personal secrets, who knows?. Obviously, if Snowden gave us something, it is the knowledge that NSA is not very good at information compartmentalization...

But here is the kicker: if you ever decide to leave the NSA, for retirement or otherwise, the private sector (at least the US private sector) will greet you with open arms and pay you a sh*tload of money to work as a consultant or senior manager. And we are talking about a SH*TLOAD of money, conflict of interests be damned. You are now one of the big boys, kid, enjoy your (semi-)retirement.

No need to betray US interests, no need to reveal super secret information: you are NSA. You are above the law. Just leave your morals at the door, please.

Re:Scenario

[Bing+Tsher+E]

Snowden was an IT guy. A flunky.

Sorry to break it to all you other IT guys. He was not a top realm coder. Very few 'IT guys' are top realm coder.

Re:Scenario

Does anyone in that position believe in nationalism?

If I didn't believe that most of them do, I wouldn't be so frightened.

There's no one capable of doing more evil than those who sincerely believe that they're doing good.

Re: Scenario

[DigiShaman]

He also had the acumen to navigate the situation with relative "competence" and remain alive to spill the beans. I say that because it's arguable whether or not he should have done what he did. Never the less, he wears a stiff gray hat. Even the most intelligent coders and IT folk couldn't pull off what he did, or have the balls to do it!

How leet can they be?

[wiredlogic]

If they don't bother to change the timestamps to 03/13/37.

Re:Hahahahaha. What a joke.

> Do me a favour. Spooks putting strings identifying their top secret programme by name [...]

The alternative is thrilling too: malware authors knowing the names of top-secret NSA programmes (I assume this malware was hacked together pre-Snowden)? Hmmm.

I don't know the name of the razor to apply here. But it's a hell of a razor, for sure.

Re:Hahahahaha. What a joke.

[Bonzoli]

Kind of like a PHD student security programmer, accidentally putting in heartbleed in the middle of Xmas when it was automagically accepted in to ssh code, because we do not teach bounds checking to PHD students.
Hope and Belief.

Re:Kaspersky Lab

[Noryungi]

I am not too worried about Putin.

What I am worried about is this: the Equation malware was used years ago. We know these guys are good at what they do. Very good.

NSA has been working on that stuff since the 1950s -- that's 65 years of experience, folks, and they have been big computer users since day ONE -- heck even before day one, if you count Bletchley Park and stuff like the cracking of Red, Purple and JN cyphers.

So, we are talking about an organization that has huge experience in cracking systems and crypto, and the enormous budget to support its activities.

So: what have they been producing between Equation and, let's say, Stuxnet, and today?

Equation was -- from what I understand -- fairly Windows specific. What have they got now? The stuff coming out of all these not-so-funny super top secret projects?

Here is a hint: combine stuff like Heartbleed (OpenSSL), ShellShock, stuff that lingered in code bases for decades before being found out, maybe other stuff such as a few rumors about OpenSSH backdoors (remember those?) and the "let me install myself cosily in your HDD BIOS where you cannot dislodge me" capabilities of Equation and, presto! No one is safe from the prying eyes of NSA anymore.

That's the kind of things that makes you lose sleep at night. At least, I do lose sleep over it. Georges Orwell had nothing on these guys.

What if you are only running open-source? Vulnerable. Audited open-source? They have 100 times the manpower of the best programming teams out there. Heck, they may even have inflitrated these projects in the first place!

And don't forget one last things: the guys are masters of misdirection. NSA and GCHQ and everyone in between said for years that Enigma was safe to use, even after the nd of WWII. It's extremely simple for these people to say (unofficially, of course) "Drats! This guy is using open source! Foiled again! Damn you open source programmers!! Damn you all to hell!!!", all the while exploiting Linux/BSD machines as easily as "1-2-3". And we know they like subtle.

So, here is the question: what do they have, right now, that we don't know about? Think about that for a second.

Re:Let's roll our own Time Zones too!

[Minwee]

"[...] modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones"

When writing an article of this sort your goal should be to _explain your position_, not to create a math problem which, if solved in the correct manner, suggests what your position could be. If the authors wanted to point to a 7-3 work day in UTC-5, they should have simply said so instead of going out of their way to state something quite different.

It's not hard.

Here, it could look something like this:

"[...] modification timestamps were almost always consistent with a 7-3 workday in the US Eastern timezone (UTC-5), allowing for standard Daylight Savings changes as observed in Virginia, DC and Maryland"

It should not look like this:

"[...] modification timestamps were almost always consistent with an 8 PM - 5 AM workday in the UTC+9 time zone, showing that this was clearly the work of North Koreans with insomnia"

Do you see the difference?

The really troubling part

[ThatsNotPudding]

If every OS and system on the planet is merely your plaything, you are now not just a government agency but a standalone entity that can completely self-fund without leaving a trace, and thus answerable to no one, most especially mere elected civilians.

And if the Senators or POTUS get uppity, well no one that achieves those offices are innocent, thus they are completely blackmailable, if not subject to out and out threats (especially their families).

I think this is the main reason every man that now becomes President ends up with gray hair, regardless of their age.

"Exploit Engineer"

[Errol+backfiring]

Sorry guys, I will never use the word "hacker" again now that they are officially called "Exploit Engineers".