New Evidence Strengthens NSA Ties To Equation Group Malware

An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."

Re:A few embedded strings and timestamps?

[StikyPad]

What the summary said was that the timestamps are consistent with an 8-5 day in those time zones, not that the timestamps came from those timezones. Timestamps aren't UTC anything -- they're milliseconds since epoch (generally), and the OS converts on the fly when displaying. I can't speak for the NSA, but core hours are 10-3 for many government workers, and many people go in to the office early to beat traffic. Also, the NSA is under the DoD, and DoD tends to get an early start. All of that is consistent with what one would expect to see.

And to address the GP, the odds of finding a string that matches a codeword, especially a unique codeword, are very slim. Probably millions to one. You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code. That's the most convincing evidence -- the timestamp stuff is just icing.

I expect to see future exploits released with standardized timestamps and obfuscated strings.

Re:Kaspersky Lab

[Noryungi]

I am not too worried about Putin.

What I am worried about is this: the Equation malware was used years ago. We know these guys are good at what they do. Very good.

NSA has been working on that stuff since the 1950s -- that's 65 years of experience, folks, and they have been big computer users since day ONE -- heck even before day one, if you count Bletchley Park and stuff like the cracking of Red, Purple and JN cyphers.

So, we are talking about an organization that has huge experience in cracking systems and crypto, and the enormous budget to support its activities.

So: what have they been producing between Equation and, let's say, Stuxnet, and today?

Equation was -- from what I understand -- fairly Windows specific. What have they got now? The stuff coming out of all these not-so-funny super top secret projects?

Here is a hint: combine stuff like Heartbleed (OpenSSL), ShellShock, stuff that lingered in code bases for decades before being found out, maybe other stuff such as a few rumors about OpenSSH backdoors (remember those?) and the "let me install myself cosily in your HDD BIOS where you cannot dislodge me" capabilities of Equation and, presto! No one is safe from the prying eyes of NSA anymore.

That's the kind of things that makes you lose sleep at night. At least, I do lose sleep over it. Georges Orwell had nothing on these guys.

What if you are only running open-source? Vulnerable. Audited open-source? They have 100 times the manpower of the best programming teams out there. Heck, they may even have inflitrated these projects in the first place!

And don't forget one last things: the guys are masters of misdirection. NSA and GCHQ and everyone in between said for years that Enigma was safe to use, even after the nd of WWII. It's extremely simple for these people to say (unofficially, of course) "Drats! This guy is using open source! Foiled again! Damn you open source programmers!! Damn you all to hell!!!", all the while exploiting Linux/BSD machines as easily as "1-2-3". And we know they like subtle.

So, here is the question: what do they have, right now, that we don't know about? Think about that for a second.

Re:Scenario

[Noryungi]

My dear friend, you do not understand how these things work.

You work at NSA, you are always using the latest, newest, biggest, baddest, sweetest technology ever devised by men. You literally have computer companies begging you to buy their stuff. For a lot of these people (heck, that may even include me) that is motivation enough.

AND, if you are discreet about it, you can even be privy to potentially very lucrative a lot of state secrets. Or even personal secrets, who knows?. Obviously, if Snowden gave us something, it is the knowledge that NSA is not very good at information compartmentalization...

But here is the kicker: if you ever decide to leave the NSA, for retirement or otherwise, the private sector (at least the US private sector) will greet you with open arms and pay you a sh*tload of money to work as a consultant or senior manager. And we are talking about a SH*TLOAD of money, conflict of interests be damned. You are now one of the big boys, kid, enjoy your (semi-)retirement.

No need to betray US interests, no need to reveal super secret information: you are NSA. You are above the law. Just leave your morals at the door, please.