ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Equation Group

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Equation Group

NamesEquation Group (real name)
Tilded Team (CrySys)
Platinum Colony (SecureWorks)
CountryUSA USA
SponsorState-sponsored, believed to be tied to the NSA’s Tailored Access Operations unit
MotivationInformation theft and espionage, Sabotage and destruction
First seen2001
Description(Ars Technica) Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands.

A long list of almost superhuman technical feats illustrate Equation Group’s extraordinary skill, painstaking work, and unlimited resources. They include:
• The use of virtual file systems, a feature also found in the highly sophisticated Regin malware. Recently published documents provided by Ed Snowden indicate that the NSA used Regin to infect the partly state-owned Belgian firm Belgacom.
• The stashing of malicious files in multiple branches of an infected computer’s registry. By encrypting all malicious files and storing them in multiple branches of a computer’s Windows registry, the infection was impossible to detect using antivirus software.
• Redirects that sent iPhone users to unique exploit Web pages. In addition, infected machines reporting to Equation Group command servers identified themselves as Macs, an indication that the group successfully compromised both iOS and OS X devices.
• The use of more than 300 Internet domains and 100 servers to host a sprawling command and control infrastructure.
• USB stick-based reconnaissance malware to map air-gapped networks, which are so sensitive that they aren’t connected to the Internet. Both Stuxnet and the related Flame malware platform also had the ability to bridge airgaps.
• An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.

Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware in Operation Olympic Games.

Other publicly exposed major APT activities from the NSA involve the wholesale worldwide spying from programs such as PRISM and, together with GCHQ, INCENSER, where various international Internet trunks were tapped.
ObservedSectors: Aerospace, Defense, Energy, Government, Media, Oil and gas, Telecommunications, Transportation and Nanotechnology, Nuclear research, Islamic activists and scholars, and companies developing cryptographic technologies.
Countries: Afghanistan, Bangladesh, Belgium, Brazil, Ecuador, France, Germany, Hong Kong, India, Iran, Iraq, Israel, Kazakhstan, Lebanon, Libya, Malaysia, Mali, Mexico, Nigeria, Pakistan, Palestine, Philippines, Qatar, Russia, Singapore, Somalia, South Africa, Sudan, Switzerland, Syria, UAE, UK, USA, Yemen.
Tools usedDarkPulsar, DOUBLEFANTASY, DoublePulsar, Duqu, EQUATIONDRUG, EQUATIONLASER, FANNY, Flame, GRAYFISH, GROK, Lambert, OddJob, Regin, TRIPLEFANTASY, UNITEDRAKE and many others.
Counter operationsAug 2016Their arsenal of 0-day cyber weapons was stolen by an actor Shadow Brokers, who leaked a large section on the internet and tried to sell the rest afterward.
Most notable among the dumps were 0-days such as ETERNALBLUE and ETERNALROMANCE that were used by other groups for the creation of infamous ransomware explosions such as WannaCry and NotPetya.

Last change to this card: 10 August 2021

Download this actor card in PDF or JSON format

Previous: Energetic Bear, Dragonfly
Next: Evil Eye

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]