That the network of the Internet was designed and implemented in the military in the United States is certainly not a mystery. It is well known that many of the computer technologies, as well as the major manufacturers selling them, come from that country. It should therefore not be surprising that the US has the longest and most consistent experience in cyberspace, a dimension that, however, many other countries have "discovered" relatively recently. It is natural, therefore, that after writing about The Lazarus, the surprisingly active group of North Korean hackers (v.articolo), we now describe a cell cyber attributed to the States. It is about The Equation Group, which is believed to be in some way closely linked to the powerful stars and stripes intelligence and whose history intertwines with international events with dark contours and surprising consequences. Diplomacy, espionage and counterintelligence, the struggle for world supremacy in the economic, scientific, technological and military fields, political activism and almost science-fiction technology. The story of The Equation it is all this and it surprises and excites anyone who has the desire and the time to deepen it.
Let's start by saying that The Equation is the name given by the researchers of the company Kaspersky Lab and shared almost unanimously globally. Much of what is known about this organization is due precisely to this company and to the Symantec competitor, but not only to them. Many researchers have dedicated themselves and are still dedicated to The Equation. Moreover, as we will see later, some confirmations to what was discovered and many other "first hand" information were provided by Edward Snowden (photo), a former collaborator of the National Security Agency (NSA) is from a mysterious group cyber rival.
In particular, from investigations by security company researchers and news leaks The Equation, the characteristics that distinguish it unequivocally with respect to other groups emerge.
First point. It seems that this cell is well structured and endowed with substantial resources. In fact, analyzing the comments traceable in the source codes with which some have been written malware and related operational manuals, it is possible to understand that in the group militant developers for mobile devices to report the with different levels of experience, technical support managers and operational agents who use them in the field. This precise structure and the significant number of its components, which can be inferred from the different "styles" of programming, lead us to believe that in all probability it is a cell supported by a powerful nation.
Second point. The nation in question would be the federation of the USA. Specifically, some revelations supported by documents deemed to be authentic and other leaks that have been leaked about a particular affair, described below, would leave little doubt that The Equation is strongly linked to the NSA and has cooperated, at least on one occasion, with the Central Intelligence Agency (CIA). Moreover, this would be confirmed by the fact that some cyber attacks attributed to the group have certainly involved also agents who have operated with "traditional" methods.
Third point. Many of the technologies and techniques used by The Equation as part of their cyber operations, they are so sophisticated that they are not on a global level. This confirms both that it is an organization with vast resources at its disposal and that it possesses considerable experience gained over several years of activity. However, unfortunately, in some cases the technologies used have escaped the control of the cell, with disastrous results.
Last point, linked in some way to the previous one. The peculiarity of the group consists in the ability to launch sophisticated targeted attacks, which go on for a long time, thanks to the use of advanced security avoidance techniques (the so-called Advanced Persistent Threat). In many cases, in fact, operations were unveiled when, in reality, they lasted for a few months, if not, sometimes, for years. The members of the group are therefore very able to hide their activities in cyberspace. So we come to the most significant events that have characterized, so far, the history of The Equation, bearing in mind that, precisely because of the aforementioned ability, the dating of events is inevitably inaccurate.
The first operation of the cell would even date back to 2001, although according to some The Equation it would even be active already from the 1996. However, the most concrete evidence of its cyber activities is generally traced back to the 2002-2003 period, when The Equation it would spread some malware by celing them on a CD-ROM to install a known one , delivered in some way to the objectives. A similar technique was found in the 2009, when another compromised CD-ROM was delivered to some eminent scientists who had participated in a major world-class congress. Also in this case the CD seemed authentic but, in reality, contained a series of malware designed to carry out sophisticated espionage activities.
The true "masterpiece" of The Equation it would date back to the 2009-2010 period, when the world met Stuxnet. A lot has been written about this story and it is also told in a film, but it is worth remembering it. According to press rumors confirmed by many sources, President Obama inherited a secret program initiated by his predecessor Bush Jr. in 2006, with the code name, at the time of his election Olympic Games. The idea behind this operation, aimed at delaying or stopping Iran's nuclear development program, was revolutionary and ambitious for the time: to achieve this through a cyber campaign, without triggering an international crisis. At this point it would come into play The Equation or one of his elite cells which, in the context of a complex and risky operation of sabotage, would have developed the weapon cyber more sophisticated and "lethal" than ever before: the mentioned Stuxnet and some of its different variants. In particular, The Equation he would collaborate with the CIA and with a cell cyber of a friendly country (it would be Israel), in order to create "the perfect secret agent" cyber. Once ready, Stuxnet was introduced into the computer network of the Natanz nuclear power plant in Iran, certainly thanks to the "human" intervention. This network, in fact, was confined to the power plant and was not connected to other systems and even less to the Internet. Once penetrated, the malware spread silently and secretly collected all information about the systems connected to the network and the procedures used in the system. The target it consisted of the centrifuge management system used to enrich uranium and, in particular, the computers that controlled its operation. The mission of Stuxnetin fact, it was to irreparably damage the centrifuges, delaying the uranium enrichment program, as it could potentially be used to build nuclear warheads.
Il malware he did not fail his mission. After weeks of patiently gathering the necessary information, the malware, always with the help of an agent "in the flesh", managed to get in touch with the control center of the operation and to transmit all that he had discovered. Finally, at the appointed time, he hit the plant. The centrifuges, during a night shift less manned than usual by the workers, all simultaneously received a wrong command that changed their normal operating parameters. At the same time, the control system of the plant was deceived and did not detect any changes or anomalies in the operation of the machines. Result: thousands of damaged centrifuges and nuclear program suspended for months. Several aspects of the operation remain unclear, including the real extent of the damage done to the Iranian nuclear program, but it has undoubtedly been a success. For the first time in history, a cyber operation employed what until then had been only hypothesized: a cyber-weapon capable of transferring its effects from the virtual dimension to the real one.
Success, however, was obscured by an adverse consequence. Something went wrong and, despite Stuxnet had been programmed to self-destruct without leaving traces at the end of its mission, it escaped the control of its creators and spread to the Internet. It was only a matter of time and beyond the hands of researchers of information security companies, Stuxent it happened also among those of unscrupulous cyber criminals and from that moment on it began to talk about the phenomenon of the "proliferation of the cyber-weapons".
Stuxnet it is not the only surprising one malware which has been attributed to The Equation. Starting from 2001, EquationLaser, DoubleFantasy, Flame, EquationDrug, Fanny, GrayFish and other products yet, have been designed to fulfill the same mission as Stuxnet, ie spying and sabotaging. And they did it like no other instrument was able to do before. In total, more than 500 attacks attributable to the group have been documented, involving at least 42 nations including the aforementioned Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali, most notably for the number of "victims". However, due to the self-destruct mechanisms of malware The Equation, the suspicion is that the number of devices affected by the cell is much higher, or that amounts to tens of thousands.
While admitting that they have the ability to develop cyber campaigns, especially against Islamic terrorist groups, the US has never recognized its responsibility in the activities attributed to The Equation. To complicate things very much the American administration, however, there was Edward Snowden, a former employee of the NSA, of which he became an external collaborator, who "converted" into a political activist, in the 2013 provided WikiLeaks and to print thousands of documents related to the activities cyber of his former Agency. Moreover, among the surveys made by Snowden, some have concerned the story of Stuxnet.
Three years later, while the operations of The Equation however, they went on, a mysterious group of hackers entered the scene claiming to have infiltrated the US cyber cell and to have stolen many documents and, above all, some malware: The Shadow Brokers. Specifically, in the summer of 2016 this organization presented itself to the world by auctioning a series of information regarding the activities of The Equation. The auction went virtually deserted and the group began to deliberately publish increasingly burning material, including the source code of some "products made in NSA". At the same time some serious security vulnerabilities were disclosed for mobile devices to report the very widespread, not known until then even to the producers themselves but discovered and exploited by The Equation (the so-called vulnerabilities zero-day). Not only, The Shadow Brokers, in April 2017, also revealed the identity of a former collaborator of the aforementioned Agency that in the past was part of the team di elite dedicated to the most sophisticated cyber intelligence activities, aimed at the countries most hostile to the government: unity Tailored Access Operations. Together with his identity, the tools used by the former agent were disseminated which, added to what was published previously, put into circulation an uncontrollable number of powerful new malware and unknown vulnerabilities. Moreover, one of these was later exploited to launch the infamous attack WannaCryptor by hand, it seems, North Korean (v.articolo).
Who's behind it Shadows Brokers? Where does it come from? Are they former NSA agents "repentant" like Snowden or do they belong to some government that is hostile to the US? If so, what government would it be? The American counterintelligence is investigating some of the Agency's collaborators, but some, including Snowden, point the finger to the Russian government, highlighting the particular circumstances in which The Shadows Brokers acted (the US presidential election period - v.articolo), already subject to delicate investigations by the American authorities. But this is another story. Or maybe not?
Ultimately, however, both among partial admissions, denials and lack of confirmation, the star-striped government has not yet officially recognized its involvement with The Equation group. What is certain is the fact that a subterranean war in cyberspace has been fighting for some time, without excluding low blows. The interests at stake are enormous and it is to be sworn that The Equation or the group that perhaps rose from its ashes, will continue for a long time to play a leading role among cyber cells operating in cyberspace. Moreover, it will probably do so by taking greater precautions so as not to be discovered again.
To learn more:
http://www.datamanager.it/2017/03/ci-cia-nsa-dietro-lequation-group/
https://airbus-cyber-security.com/playing-defence-equation-group/
http://formiche.net/2017/11/shadow-brokers-hack-nsa/
(photo: web / US Air Force)
