The discovery of Stuxnet in the wild was a watershed moment, signalling the first known salvo sent across the wires of the Internet to strike at an enemy far away. The fact that a piece of software could wreak such destruction in the real world was what drew most people’s interest however the way in which it achieved this was, in my opinion, far more interesting than the results it caused. Stuxnet showed that nation state sponsored malware was capable of things far beyond that of what we’ve attributed to malicious hackers in the past and made us wonder what they were really capable of. Thanks to Kaspersky Labs we now have a really good (read: scary) idea of what a nation state could develop and it’s beyond what many of us thought would be possible.
The Equation Group has been identified as being linked to several different pieces of malware that have surfaced in various countries around the world. They’ve been in operation for over a decade and have continuously improved their toolset over that time. Interestingly this group appears to have ties to the development teams behind both Stuxnet and Regin as some of the exploits found in early versions of Equation Group’s tools were also found in those pieces of malware. However those zero day exploits were really just the tip of the spear in Equation Groups arsenal as what Kaspersky Labs has discovered is far beyond anything else we’ve ever seen.
Perhaps the most fascinating piece of software that the group has developed is the ability to write disk firmware which allows them persist their malware through reboots, operating system reinstalls and even low level formats. If that wasn’t nasty enough there’s actually no way (currently) to detect an infection of that nature as few hard drives include the capability to read the firmware once its been written. That means once the firmware has wormed its way into your system there’s very little you could do to detect and remove it, save buying a whole new PC from a random vendor and keeping it isolated from every other device.
This then feeds into their other tools which give them unprecedented control over every facet of a Windows operating system. GrayFish, as it has been dubbed, completely replaces the bootloader and from there completely controls how Windows loads and operates. Essentially once a system is under GrayFish control it no longer uses any of its core boot process which are replaced by GrayFish’s toolkit. This allows Equation Group to be able to inject malware into almost every aspect of the system, preventing detection and giving them complete control to load any of their other malware modules. This shows a level of understanding of the operating system that would rival top Microsoft technicians, even those who have direct access to the source code. Although to be honest I wouldn’t be surprised if they had access to the source code themselves given the level of sophistication here.
These things barely begin to describe the capabilities that the Equation Group has developed over the past couple years as their level of knowledge, sophistication and penetration into world networks is well above anything the general public has known about before. It would be terrifying if it wasn’t so interesting as it shows just what can be accomplished when you’ve got the backing of an entire nation behind you. I’m guessing that it won’t be long before we uncover more of what the Equation Group is capable of and, suffice to say, whatever they come up with next will once again set the standard for what malware can be capable of.
It’s really hard to have anything but admiration for Stuxnet. It was the first piece of software that could be clearly defined as a weapon, one with a very specific purpose in mind that used all manner of tricks to accomplish its task. Since its discovery there hasn’t been another piece of software that’s come close to it in terms of capability although there’s always rumours and speculation of what might be coming next. Regin, discovered by Symantec, has been infecting computers since at least 2008 and is the next candidate for the cyber-weapon title and whilst its mode of operation is more clandestine (and thus, a little more boring) it’s more what it’s not that interests me most.
Unlike Stuxnet, and most other malware you’ll encounter these days, Regin is designed to infect a single target with no further mechanism to spread itself. This is interesting because most run of the mill malware wants to get itself onto as many machines as possible, furthering the chances that it’d pick up something of value. Malware of this nature, one that we haven’t identified a specific infection vector for, means that it’s purpose is far more targeted and was likely developed with specific targets in mind. Indeed the architecture of the software, which is highly modular in nature, indicates that Regin is deployed against a very specific subset of targets rather than allowing it to roam free and find targets of interest.
Regin has the ability to load up various different modules depending on what its command and control servers tell it to do. The functions range from interchangeable communication methods (one of which includes the incredibly insidious idea of encoding data within ping packets) to modules designed to target specific pieces of software. It’s quite possible that the list Symantec has created isn’t exhaustive either as Regin attempts to leave very little data at rest. Indeed Symantec hasn’t been able to recover any of the data captured by this particular bit of malware, indicating that captured data is likely not stored for long, if at all.
Due to its non-worm nature the range of targets that Regin has infected gives a pretty good indication as to what it’s intended purpose is. The two largest groups of targets were individuals or telecommunications backbones, indicating that its purpose is likely information gathering on a large scale. The location of of infections indicates that this piece of software was likely western in origin as the primary targets were Russia and Saudi Arabia with very few targets within western countries. It’s unlikely that this tool was developed for a specific operation due to its modular nature however, so I don’t believe there’s any relationship between different infections apart from them using the same framework.
Just like Stuxnet I’m sure we won’t know the full story of Regin for some time to come as software of this nature is incredibly adept at hiding its true purpose. Whilst its capabilities appear to be rather run of the mill the way in which it achieves this is very impressive. More interesting though is it’s non-worm nature which, whilst it may have prevented its detection for some time, hints heavily to its true purpose and origin. I’m really looking forward to further analysis of this particular piece of software as it gives us a rare insight into the world of clandestine cyber warfare operations.