Equation Group Malware: Scary, Yes; Risk to You? Not Much
A report earlier this week on the discovery of the Equation group of malware pointed to "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques," one that reportedly has spent nearly 20 years secretly distributing a family of powerful malware programs.
Should you be concerned about your data? While these sophisticated tools underscore the vulnerability of the computer hardware we use everyday, a careful reading of the relevant reports suggests that for the average consumer or enterprise user, the actual threat of an Equation group attack is quite low.
Similar to Stuxnet
Kaspersky Lab, a Moscow-based security firm, did not identify a particular nation-state or organizational source for the malware in its report. But the firm repeatedly highlighted the tactical and structural similarities between the Equation group malware and Stuxnet, a sophisticated computer worm that reportedly destroyed one-fifth of Iran's nuclear centrifuges in 2009 and 2010. In 2012, a New York Times story identified Stuxnet as a joint operation of the United States and Israel, dubbed "Olympic Games."
As Kaspersky observed in its report, "the similar type of usage of [two 'zero-day' exploits] together in different computer worms, at around the same time, indicates that the Equation group and the Stuxnet developers are either the same or working closely together."
A number of news reports have gone further, pointing a finger at the U.S. National Security Agency as the likely culprit.
Most Targets Overseas
Victims of Equation group infections were identified in 30 countries; the eight most-targeted nations were Iran, Russian Federation, Pakistan, Afghanistan, India, China, Syria and Mali. Of the 10 nations listed as having a moderate infection rate, only one -- the United Kingdom -- was outside of Africa or the Mideast. The United States had a low infection rate, and no victims were discovered in Canada at all.
In addition to the geopolitically sensitive targeting of the viral activity, the Equation group also focused on a relatively small but high-profile list of organizations and industries, including:
- Governments and diplomatic institutions
- Energy, oil and gas, and nuclear research
- Islamic activists and scholars
- Mass media
- Financial institutions
- Companies developing cryptographic technologies
One overlooked aspect of the Kaspersky Lab report is the relatively low rate of detected infection. The security firm noted in bold letters that it identified "more than 500 victims worldwide." Based on the fact that many of the infections had a "self-destruct mechanism," Kaspersky estimated that "there were probably tens of thousands of infections around the world" over the two decades the Equation group has been active. Of course, over the same period of time, consumers and businesses have purchased billions of personal computers and tens of millions of servers, so the percentage of machines infected by the Equation group is statistically tiny.
How Do I Know If My Hard Drive Is Infected?
But as the old saying goes, just because you are paranoid doesn't mean they're not out to get you. What has so many industry experts concerned is both the sophistication of the attacks and the challenge of detecting them.
In particular, Kaspersky reported, two of the Equation group's malware modules had the capability to infect a hard drive's firmware and provide API access "into a set of hidden sectors" on the hard drive. Those sectors would be invisible and resistant to deletion or even reformatting of the disk. This has led some experts to suggest that the only true solution for an infected hard drive is to run it through a chipper/shredder.
We reached out to the security firm Symantec to ask for its consumer recommendations. We were referred to a staff blog post which claims that in fact, Symantec products are capable of detecting at least some of the Equation group malware.
"Grayphish and Equdrug have a modular structure," the blog post said. "Aside from standard modules, a number of specialized features can also be employed. Among this is a highly sophisticated and rarely used module that allows the malware to reprogram the firmware on a range of popular hard disks, providing the attackers with a persistent presence that can survive disk reformatting. Symantec detects this module as Packed.Generic.483."