Slashdot Mirror
New Evidence Strengthens NSA Ties To Equation Group Malware
An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."
Hypothetical Scenario: I work as a coder for the NSA, I work with an extremely talented group, we code the latest, most aggressive malware available.
We make the Russians look like Girl Scouts.
How much do you think they pay me?
How much could I make selling the stuff I code at the NSA to various "businesses".
Does anyone in that position believe in nationalism?
"If any question why we died, Tell them because our fathers lied."
If they don't bother to change the timestamps to 03/13/37.
I am becoming gerund, destroyer of verbs.
> Do me a favour. Spooks putting strings identifying their top secret programme by name [...]
The alternative is thrilling too: malware authors knowing the names of top-secret NSA programmes (I assume this malware was hacked together pre-Snowden)? Hmmm.
I don't know the name of the razor to apply here. But it's a hell of a razor, for sure.
What the summary said was that the timestamps are consistent with an 8-5 day in those time zones, not that the timestamps came from those timezones. Timestamps aren't UTC anything -- they're milliseconds since epoch (generally), and the OS converts on the fly when displaying. I can't speak for the NSA, but core hours are 10-3 for many government workers, and many people go in to the office early to beat traffic. Also, the NSA is under the DoD, and DoD tends to get an early start. All of that is consistent with what one would expect to see.
And to address the GP, the odds of finding a string that matches a codeword, especially a unique codeword, are very slim. Probably millions to one. You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code. That's the most convincing evidence -- the timestamp stuff is just icing.
I expect to see future exploits released with standardized timestamps and obfuscated strings.
https://www.eff.org/https-everywhere
I am not too worried about Putin.
What I am worried about is this: the Equation malware was used years ago. We know these guys are good at what they do. Very good.
NSA has been working on that stuff since the 1950s -- that's 65 years of experience, folks, and they have been big computer users since day ONE -- heck even before day one, if you count Bletchley Park and stuff like the cracking of Red, Purple and JN cyphers.
So, we are talking about an organization that has huge experience in cracking systems and crypto, and the enormous budget to support its activities.
So: what have they been producing between Equation and, let's say, Stuxnet, and today?
Equation was -- from what I understand -- fairly Windows specific. What have they got now? The stuff coming out of all these not-so-funny super top secret projects?
Here is a hint: combine stuff like Heartbleed (OpenSSL), ShellShock, stuff that lingered in code bases for decades before being found out, maybe other stuff such as a few rumors about OpenSSH backdoors (remember those?) and the "let me install myself cosily in your HDD BIOS where you cannot dislodge me" capabilities of Equation and, presto! No one is safe from the prying eyes of NSA anymore.
That's the kind of things that makes you lose sleep at night. At least, I do lose sleep over it. Georges Orwell had nothing on these guys.
What if you are only running open-source? Vulnerable. Audited open-source? They have 100 times the manpower of the best programming teams out there. Heck, they may even have inflitrated these projects in the first place!
And don't forget one last things: the guys are masters of misdirection. NSA and GCHQ and everyone in between said for years that Enigma was safe to use, even after the nd of WWII. It's extremely simple for these people to say (unofficially, of course) "Drats! This guy is using open source! Foiled again! Damn you open source programmers!! Damn you all to hell!!!", all the while exploiting Linux/BSD machines as easily as "1-2-3". And we know they like subtle.
So, here is the question: what do they have, right now, that we don't know about? Think about that for a second.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code.
Ha, are you really sure about that?
I mean, are the only software developers who work normal business hours on normal workdays in the Eastern timezone all working for the NSA?
Very few regular businesses in the eastern USA hire hackers to attack others, so most hackers have much more varied time allocations reflecting that they do it after work / on weekends or are unemployed. The hours strongly suggest employees, so what other employer seems likely to you?
This space intentionally left blank
I'd expect the odds of the NSA accidentally embedding the same strings in multiple exploits to be around 100%. They're humans, they're lazy, they copy stuff and they want readable code. Why wouldn't they?
This space intentionally left blank
"[...] modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones"
When writing an article of this sort your goal should be to _explain your position_, not to create a math problem which, if solved in the correct manner, suggests what your position could be. If the authors wanted to point to a 7-3 work day in UTC-5, they should have simply said so instead of going out of their way to state something quite different.
It's not hard.
Here, it could look something like this:
"[...] modification timestamps were almost always consistent with a 7-3 workday in the US Eastern timezone (UTC-5), allowing for standard Daylight Savings changes as observed in Virginia, DC and Maryland"
It should not look like this:
"[...] modification timestamps were almost always consistent with an 8 PM - 5 AM workday in the UTC+9 time zone, showing that this was clearly the work of North Koreans with insomnia"
Do you see the difference?