Shining light on the shadowy, "superhuman" state-level Equation Group hackers


#1

[Permalink]


#2

Well, there goes the argument for the utility of code-signing.


#3

As a professional hacker (defensive only, and not the usual job title, usually something like “computer security researcher” or “application security engineer”, etc)… here is my opinion on this:

I usually tend to agree with these reports in terms of tracking out apparent sophistication and relating that back to likely instigators considering factors such as the requirement to have had multiple people on the job and motive… but with caveats.

Caveats: (a) individuals and smaller organizations and groups do have a lot of these capacities. (b) Some criminal organizations can duplicate these levels of sophistication. © One nation or group - or even a highly experienced and talented individual with zero life - can duplicate many of these sorts of activities. This can include one nation making it look like another nation is doing something hostile. This is one of the more scary possibilities out there, but it is true. (d) almost always I find myself ultimately disgusted or otherwise not impressed for simpler, bigger picture factors such as ‘they got caught’, as their primary hallmark of expertise or professionalism in anything well planned should be “Do Not Get Caught”.

That later caveat includes such failures as widely disseminating information about your Super Secret Hacking Spy Project so that someone outside your group can tell someone else. eg, Compartmentalization 101.

Put another way, in context of Snowden, of whom I am a fan: there is another factor with Snowden’s disclosures that highly annoys me and that is the fact that even Snowden being able to do this that he did shows there are extreme problems of severe incompetence in those systems of intelligence. This annoyance included the fact that no one high up got fired, and instead, they were able to run the prime time talk circuit and perform PR damage control. Sure, they came off as effectively evil to many, but that definition did not include what they really are: Rank. Incompetent.

Not that this matters much to me, as these governments being rank incompetents helps ensure that if they try and pull off Really Bad Things like systematic extortion systems to control politicians and corporations… that they would and will eventually get caught and exposed.

Instead, just an artistic annoyance.


#4

What a thoroughly demoralising read that was…but i’m glad i read it and ars are writing about this stuff.


#5

Things have really gotten pretty cyberpunk, eh?


#6

Carrier pigeons look better every day…


#7

Speaking of Snowden, are there any links out there to his document dumps? It is inspiring to read that he “exposed” so much NSA activity, yet I have never actually seen any of it. I find this infiltration and data collection very interesting.


#8

Hardly. That’s like saying since a lock was successfully picked somewhere, you’re never going to lock anything again. Anything can have exploits, this has always been the case. Time to step up our game.


#9

Add the factor that the zero-life thing can screw with your mind in interesting ways, over the years.


#10

Greetings fellow comrade!

So to jump right in, if the ars article is accurate (and I have no reason to believe otherwise) there are two facets that concern me the most:

  1. The expertise to hook loaders the way they did on as many OS’s as they did. I worked with a kernel team during the Vista 64 transition and even just the test cases were nightmares. And most of the tricks you could use to easily patch win32 were worthless. So, their pure ecosystem research team is probably bigger than some entire companies I’ve worked for.

  2. The unethical use of zero days in stock OSs. LNK and the signed sys file have been vulnerable for years, it wasn’t disclosed, and that is not okay

I’ve worked with some amazing kernel devs, but none of them could have pulled this off ‘lone wolf style’. And while their samples were sitting on VirusTotal–but no one could figure out what they were or that they were important–points to better operational security than most of the industry.

And now I’m gonna dig for more details, this IMHO is the info sec equivalent of discovering Pompeii.


#11

Hah, I looove having “zero life” space. Only, I consider I have “a life” because I have so much freetime to spend on trivial matters, or matters that I otherwise would not get paid for. (But thoroughly enjoy.)

But, some lone wolf out there spending the necessary time to find a major security vulnerability, write a highly sophisticated exploit package, manage the risk and effort to effectively implement the attack… that takes months and months of extremely hard work. And on top of that people capable of such things typically would already be employed in such a fashion. So they would be working two jobs doing that gruesome work. And, never even mind the fact that there is an easy to reach market where they could be selling legally at the least the security vulnerability… so besides the extreme sacrifice of time of a highly experienced/trained engineer…

Anyone who is experienced as a vulnerability finder in major applications (as opposed to smaller release systems poorly developed and qa’d eg web apps and such), creating their own, sophisticated attack code or severely customizing someone else’s, and actually performing the hacking (maintenance of the system, required network reconnaissance and patience) is already someone who is well acquainted with spending months and months toiling deep in very complicated crap… in a patient, usually solitary fashion… but using that capability for some lone project for which one is not going to get paid? That is severely no life in the sort of way that means “they find ‘fun’ to be a most hateful and despised a thing, as well as sleep, and just about anything else”. Finally, to actually do it to get away with it means they have the capacity to entirely forego any slightest jolt of … desire to in anyway speak of what they have done.

But there are people who do this and can do this. Much more likely in less developed countries where they are less inclined to instead decide to get a proper paying job in accordance with their skills or be swamped with a wealth of frivolous diversions to engage in instead.


#12
  1. With N. Korea plausibly conjectured to achieve compact nukes within one year, I don’t care.
  2. The Russians, and most other big actors, likely guard the chain of possession of usb and other media, from package to insertion, with assault rifles.
    a. They may well use proprietary media, or state-manufactured sticks.
  3. ‘Fanny’, and the other identifiers, are likely pulled at random out of a hat. Spycraft avoids descriptive labels where security is a premium.
  4. Important servers are likely not only air-gapped, but covered with Faraday cages, with inputs and outputs served by optic fiber.
  5. Kaspersky may be operating under state strictures, but it would be peculiar for the Kremlin to have known that they know more than they would like. Again, spycraft is often the art of seeming to be consumately ignorant. When the CIA managed to breach an important telecom trunk, the Russians essentially let a torrent of some of the most important state secrets through, until a fortuitous flooding gave them the excuse to shut down the conduit permanently for quite legitimate reasons.

#13

Yes and no. In this case it came from an embedded string, e:\images\fanny.BMP.

Many years ago I named a malware family win32
Hearse, since it had the Russian string for hearse (katafall) embedded in it.


#14

Even some of the most important machines in the world, hardware security modules (the holder of the CA root keys) may be air gapped, but I have never–even at the largest CAs–seen a Faraday cage.


#15

Norks are a nice diversion, so there are “less important things we don’t care about”.

The Russians are as lax in their security as anybody else. That, and the vodka factor.

Unlikely. Mostly they will go with the same off-the-shelf hardware as everybody else. (With few exceptions, where milspec mechanics or temperature requirements are needed, but that’s about it.)

Unless it is named later by a third party; descriptive names are common there.

Rare as hen’s teeth. Maybe the rooms with crypto gear in embassies, but that’s about it.

And even those servers are usually compromised; all you need is a properly vetted, security-cleared technician (or anybody with the access rights) that is also a mole. Not entirely unheard of in the field of intelligence.

You’ll more often find TEMPEST-grade shielded casings of the individual machines; shielded rooms are quite uncommon.

If they knew, it gave them a way to feed doctored information through the conduit. Also not unheard about; even computer hardware can serve as a double agent.

In this game you cannot believe (nor trust) just about anything.

And sometimes you can even be happy that the adversary knows the truth - e.g. when you want to deescalate a conflict and you know (guess how) they want too.


#16

I was not stating that this looks like a lone wolf act. That statement was one a in a numbered list in regards to my reaction often on attribution releases by security companies, in general.

Worth stating from my own perspective because I have so often seen singular individuals finding serious security vulnerabilities and writing custom, innovative exploit code to go along with it. I suppose one reason this awareness tends to not be easy to find is because their work tends to either be entirely undisclosed, or obfuscated by many layers of what is effectively marketing.

As you are experienced in kernel level development and security, maybe you have been in such teams or experienced such things. Or maybe not, I do not know. Most kernel level developers in the security field I run into involve themselves in security development, like writing engines for anti-virus or ips and such. Or anti-copyright protection systems. And dabbled in kernel level attack code, if at all.

A bullet point I did not add was the possibility of unknown entities, eg, like rogue or other groups whose affiliation would be very difficult to deduce. That was covered under “other organizations”, however.

This, it does look like government work, as Stuxnet did. Like Stuxnet, it also has a lot of errors involved in it, some which were very fatal to the entire operation. The one that sticks out to me in the article is the reliance of known security vulnerabilities.

Using known security vulnerabilities in an attack highly increases the chance that attack will be detected. If a intelligence motivated attack is detected, it opens the very dire possibility of compromising any intelligence from that attack and worse because of the power of false information under the conditions of secret surveillance. High competence via numbers of people mixed with shocking incompetence? That is government work for you right there.


#17

To be clear (I mentioned Kaspersky’s ties to the russian intelligence forces), Kaspersky worked in that field, which is open knowledge (however). I did also add that Kaspersky reports do tend to seem to have valid, unbiased findings which are accurate, however.

In comparison, this is not like Apple working in the States under States strictures, but more like Mandiant… kind of exactly like Mandiant… where at least a few of their top people started out in the local intelligence agencies. (Also, open knowledge.)

I also find Mandiant’s report a few years back likely largely accurate, but one would have to be a complete fool to not consider the possibility that some or even much of the data may either be entirely falsified or at the very least (and so much more likely) partially falsified.

It might also be noted that when firms have these close of ties to their national intelligence agencies typically one will find word in the grapevine that there exists a distinct possibility these people are not at all former intelligence officers, at all.

On the CIA case, I take it you are referring to the time the telecom trunk in East Germany was compromised? I do not recall how they shut that down, but they let it run a bit and put in deceptively intelligent and very actionable false information in that torrent of data. That was a bind for them, because on one hand, the attack was real and it would be impossible to entirely protect at such short notice all the information going there… but if they closed it too soon it would have likely revealed the fact - definitely given rise to suspicion for, anyway - that they had a mole privy to this operation. Which they did, in the UK side of things, who were a joint partner in that operation.

In many of these state based hacking for intelligence attacks, these factors typically are not there. What an intelligence agency wants to do when they discover a previously unknown method of secret surveillance is control the information given to the listener who almost invariably takes the lies all the more seriously because it involved so much work to obtain and they believe the surveillance methods are hidden safe.

Usually these systems are given up to the public when, for some reason, that is not a viable possibility.

Counterintelligence guys never have the urge to arrest, but the urge to watch, follow, and listen.


#18

I have never met a security Intel company, even my own, that I would trust attribution to ne 100% right. Hell, not even 50%. It is way to easy to plant false flags, tunnel, add tidbits like Russian strings to ever be sure. At some point it comes back to meat space (as in old fashioned, real investigations by LE).


#19

…Clifford Stoll, is that you?!


#20

Hard to get any sort of proof, I would say, in that area of business.Even with attributing guilt by motive, that can be hard because nations will attack their own to help spread deniability and even throw in false information campaigns through their friendlies being hacked. eg, see the luvsec/fbi/stratfor crap.

Though in Mandiant and Kaspersky’s case, probably more influence like “okay do not report this while we investigate” … delay, can be years… “okay, now report this, that is okay to do”.

They have to report to LE and LE has to report to CI who owns that domain and very often is a division with the very same agency, onshore.