{ "id": "c70985eb-6c5a-42ba-86ef-01b0f9426ebf", "created_at": "2026-04-06T00:12:37.291469Z", "updated_at": "2026-04-10T13:12:49.390821Z", "deleted_at": null, "sha1_hash": "bb42fe2dbf0b6097876e81c75ddb71c787896b94", "title": "How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6449103, "plain_text": "How “omnipotent” hackers tied to NSA hid for 14 years—and were\r\nfound at last\r\nBy Dan Goodin\r\nPublished: 2015-02-16 · Archived: 2026-04-05 15:36:53 UTC\r\nSkip to content\r\n“Equation Group” ran the most advanced hacking operation ever uncovered.\r\nCANCUN, Mexico — In 2009, one or more prestigious researchers received a CD by mail that contained pictures\r\nand other materials from a recent scientific conference they attended in Houston. The scientists didn’t know it\r\nthen, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had\r\nbeen active since at least 2001. The CD, it seems, was tampered with on its way through the mail.\r\nIt wasn’t the first time the operators—dubbed the “Equation Group” by researchers from Moscow-based\r\nKaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its\r\nintended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database\r\ninstallation CD in order to infect a different target with malware from the group’s extensive library. (Kaspersky\r\nsettled on the name Equation Group because of members’ strong affinity for encryption algorithms, advanced\r\nobfuscation methods, and sophisticated techniques.)\r\nKaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran,\r\nRussia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 1 of 20\n\ninto the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of\r\nvictims likely reaches into the tens of thousands.\r\nA long list of almost superhuman technical feats illustrate Equation Group’s extraordinary skill, painstaking work,\r\nand unlimited resources. They include:\r\nThe use of virtual file systems, a feature also found in the highly sophisticated Regin malware. Recently\r\npublished documents provided by Ed Snowden indicate that the NSA used Regin to infect the partly state-owned Belgian firm Belgacom.\r\nThe stashing of malicious files in multiple branches of an infected computer’s registry. By encrypting all\r\nmalicious files and storing them in multiple branches of a computer’s Windows registry, the infection was\r\nimpossible to detect using antivirus software.\r\nRedirects that sent iPhone users to unique exploit Web pages. In addition, infected machines reporting to\r\nEquation Group command servers identified themselves as Macs, an indication that the group successfully\r\ncompromised both iOS and OS X devices.\r\nThe use of more than 300 Internet domains and 100 servers to host a sprawling command and control\r\ninfrastructure.\r\nUSB stick-based reconnaissance malware to map air-gapped networks, which are so sensitive that they\r\naren’t connected to the Internet. Both Stuxnet and the related Flame malware platform also had the ability\r\nto bridge airgaps.\r\nAn unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows,\r\nwhich require that all third-party software interfacing with the operating system kernel be digitally signed\r\nby a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a\r\nknown vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.\r\nTaken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the\r\nmost sophisticated computer attack group in the world, with technical skill and resources that rival the groups that\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 2 of 20\n\ndeveloped Stuxnet and the Flame espionage malware.\r\n“It seems to me Equation Group are the ones with the coolest toys,” Costin Raiu, director of Kaspersky Lab’s\r\nglobal research and analysis team, told Ars. “Every now and then they share them with the Stuxnet group and the\r\nFlame group, but they are originally available only to the Equation Group people. Equation Group are definitely\r\nthe masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some\r\ngoodies to integrate into Stuxnet and Flame.”\r\nIn an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped\r\nshort of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly\r\nimplicates the US spy agency.\r\nFirst is the group’s known aptitude for conducting interdictions, such as installing covert implant firmware in a\r\nCisco Systems router as it moved through the mail.\r\nSecond, a highly advanced keylogger in the Equation Group library refers to itself as “Grok” in its source code.\r\nThe reference seems eerily similar to a line published last March in an Intercept article headlined “How the NSA\r\nPlans to Infect ‘Millions’ of Computers with Malware.” The article, which was based on Snowden-leaked\r\ndocuments, discussed an NSA-developed keylogger called Grok.\r\nThird, other Equation Group source code makes reference to “STRAITACID” and “STRAITSHOOTER.” The\r\ncode words bear a striking resemblance to “STRAITBIZARRE,” one of the most advanced malware platforms\r\nused by the NSA’s Tailored Access Operations unit. Besides sharing the unconventional spelling “strait,”\r\nSnowden-leaked documents note that STRAITBIZARRE could be turned into a disposable “shooter.” In addition,\r\nthe codename FOXACID belonged to the same NSA malware framework as the Grok keylogger.\r\nApart from these shared code words, the Equation Group in 2008 used four zero-day vulnerabilities—including\r\ntwo that were later incorporated into Stuxnet.\r\nThe similarities don’t stop there. Equation Group malware dubbed GrayFish encrypted its payload with a 1,000-\r\niteration hash of the target machine’s unique NTFS object ID. The technique makes it impossible for researchers\r\nto access the final payload without possessing the raw disk image for each individual infected machine. The\r\ntechnique closely resembles one used to conceal a potentially potent warhead in Gauss, a piece of highly advanced\r\nmalware that shared strong technical similarities with both Stuxnet and Flame. (Stuxnet, according to The New\r\nYork Times, was a joint operation between the NSA and Israel, while Flame, according to The Washington Post,\r\nwas devised by the NSA, the CIA, and the Israeli military.)\r\nBeyond the technical similarities to the Stuxnet and Flame developers, Equation Group boasted the type of\r\nextraordinary engineering skill people have come to expect from a spy organization sponsored by the world’s\r\nwealthiest nation. One of the Equation Group’s malware platforms, for instance, rewrote the hard-drive firmware\r\nof infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from\r\nmanufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.\r\nThe malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting,\r\nmaking sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating\r\nsystem. The firmware also provided programming interfaces that other code in Equation Group’s sprawling\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 3 of 20\n\nmalware library could access. Once a hard drive was compromised, the infection was impossible to detect or\r\nremove.\r\nForensics software displays some of the hard drives Equation Group was able to commandeer using\r\nmalicious firmware.\r\nCredit: Kaspersky Lab\r\nForensics software displays some of the hard drives Equation Group was able to commandeer using\r\nmalicious firmware. Credit: Kaspersky Lab\r\nWhile it’s simple for end users to re-flash their hard drives using executable files provided by manufacturers, it’s\r\njust about impossible for an outsider to reverse engineer a hard drive, read the existing firmware, and create\r\nmalicious versions.\r\n“This is an incredibly complicated thing that was achieved by these guys, and they didn’t do it for one kind of\r\nhard drive brand,” Raiu said. “It’s very dangerous and bad because once a hard drive gets infected with this\r\nmalicious payload it’s impossible for anyone, especially an antivirus [provider], to scan inside that hard drive\r\nfirmware. It’s simply not possible to do that.”\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 4 of 20\n\nCredit: Kaspersky Lab\r\nCredit: Kaspersky Lab\r\nEquation Group’s work\r\nOne of the most intriguing elements of Equation Group is its suspected use of interdiction to infect targets.\r\nBesides speaking to the group’s organization and advanced capabilities, such interceptions demonstrate the lengths\r\nto which the group will go to infect people of interest. The CD from the 2009 Houston conference—which\r\nKaspersky declined to identify, except to say it was related to science—tried to use the autorun.inf mechanism in\r\nWindows to install malware dubbed DoubleFantasy. Kaspersky knows that conference organizers did send\r\nattendees a disc, and the company knows the identity of at least one conference participant who received a\r\nmaliciously modified one, but company researchers provided few other details and don’t know precisely how the\r\nmalicious content wound up on the disc.\r\n“It would be very easy to trace the attack back to the organizers and point them out, and this could in turn result in\r\nsome very serious diplomatic incidents,” Raiu said. “Our best guess is that the organizers didn’t act in a malicious\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 5 of 20\n\nway against the participants, but [that] some of the CD-ROMs on their way to the participants were intercepted\r\nand replaced with the malicious variants.”\r\nEven less is known about a CD for installing Oracle 8i-8.1.7 for Windows sent six or seven years earlier, except\r\nthat it installed an early Equation Group malware program known as EquationLaser. The conference and Oracle\r\nCDs are the only Equation Group interdictions that Kaspersky researchers have discovered. Given how little is\r\nknown about the interdictions, they weren’t likely to have been used often.\r\nA separate method of infection relied on a worm introduced in 2008 that Kaspersky has dubbed Fanny, after a text\r\nstring that appears in one of the zero-day exploits used by the worm to self-replicate. The then-unknown\r\nvulnerability resided in functions that process so-called .LNK files Windows uses to display icons when a USB\r\nstick is connected to a PC. By embedding malicious code inside the .LNK files, a booby-trapped stick could\r\nautomatically infect the connected computer even when its autorun feature was turned off. The self-replication and\r\nlack of any dependence on a network connection made the vulnerability ideal for infecting air-gapped machines.\r\n(The .LNK vulnerability is classified as CVE-2010-2568.)\r\nSome two years after first playing its role in Fanny, the .LNK exploit was added to a version of Stuxnet so that the\r\nworm could automatically spread through highly sensitive computers in Iran. Fanny also relied on an elevation-of-privilege vulnerability that was a zero day at the time the worm was introduced. In 2009, the exploit also made its\r\nway into Stuxnet, but by then, Microsoft had patched the underlying bug with the release of MS09-025.\r\nThe LNK exploit as used by Fanny.\r\nCredit: Kaspersky Lab\r\nThe LNK exploit as used by Fanny. Credit: Kaspersky Lab\r\nA far more common infection vector was Web-based attacks that exploited vulnerabilities in Oracle’s Java\r\nsoftware framework or in Internet Explorer. The exploits were hosted on a variety of websites related to\r\neverything from reviews of technology products to discussions of Islamic Jihad. In addition to planting exploits on\r\nthe websites, the attack code was also transmitted through ad networks. The wide range of exploit carriers may\r\nexplain why so many of the machines Kaspersky observed reporting to its sinkholes were domain controllers, data\r\nwarehouses, website hosts, and other types of servers. Equation Group, it seems, wasn’t infecting only end user\r\ncomputers—it was also booby-trapping servers known to be accessed by targeted end users.\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 6 of 20\n\nEquation Group exploits are notable for the surgical precision exercised to ensure that only an intended target was\r\ninfected. One Equation Group-written PHP script that Kaspersky unearthed, for instance, checked if the MD5 hash\r\nof a website visitor’s username was either 84b8026b3f5e6dcfb29e82e0b0b0f386 or\r\ne6d290a03b70cfa5d4451da444bdea39. The plaintext corresponding to the first hash is “unregistered,” an\r\nindication that attackers didn’t want to infect visitors who weren’t logged in. The second hash has yet to be\r\ndeciphered Update: now been cracked; see this brief.\r\n“We could not crack this MD5, despite using considerable power for several weeks, which makes us believe [the\r\nplaintext username] is a relatively complex one,” Raiu said. “It definitely indicates that whoever is behind this\r\nusername should not be infected by the Equation Group, [and] actually it shouldn’t even see the exploit. I would\r\nassume this is either one of the group members (a fake identity), one of their partners, or a known identity of a\r\npreviously infected victim.”\r\nThe PHP script also took special care not to infect IP addresses based in Jordan, Turkey, and Egypt. Kaspersky\r\nobserved users visiting the site who didn’t meet any of these exceptions, yet they still weren’t attacked—an\r\nindication that an additional level of filtering spared all but the most sought-after targets who visited the site.\r\nAn example of malicious PHP script Equation Group injected into hacked discussion forums.\r\nCredit: Kaspersky Lab\r\nAn example of malicious PHP script Equation Group injected into hacked discussion forums.\r\nCredit: Kaspersky Lab\r\nMore recently, Kaspersky has observed malicious links on the site standardsandpraiserepurpose[.]com that looked\r\nlike\r\nstandardsandpraiserepurpose[.]com/login?qq=5eaae4d[SNIP]0563\u0026rr=1\u0026h=cc593a6bfd8e1e26c2734173f0ef75be3\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 7 of 20\n\nwhere the h value (that is, the text following the “h=”) appears to be an SHA1 hash. Kaspersky has yet to crack\r\nthose hashes, but company researchers suspect they’re being used to serve customized exploits to specific people.\r\nThe company is recruiting help from fellow white-hat hackers in cracking them. Other hashes include:\r\n0044c9bfeaac9a51e77b921e3295dcd91ce3956a\r\n06cf1af1d018cf4b0b3e6cfffca3fbb8c4cd362e\r\n3ef06b6fac44a2a3cbf4b8a557495f36c72c4aa6\r\n5b1efb3dbf50e0460bc3d2ea74ed2bebf768f4f7\r\n930d7ed2bdce9b513ebecd3a38041b709f5c2990\r\ne9537a36a035b08121539fd5d5dcda9fb6336423\r\nThe PHP exploit code also serves unique Web pages and HTML code to people visiting with iPhones, behavior\r\nthat Kaspersky found telling.\r\n“This indicates the exploit server is probably aware of iPhone visitors and can deliver exploits for them as well,”\r\nKaspersky’s report published Monday explained. “Otherwise, the exploitation URL can simply be removed for\r\nthese.” The report also said one sinkholed server receives visits from a large pool of China-based machines that\r\nidentify themselves as Macs in the browser user agent string. While Kaspersky has yet to obtain Equation Group\r\nmalware that runs on OS X, they believe it exists.\r\nSix codenames\r\nIn all, Kaspersky has tied at least six distinct pieces of malware to Equation Group. They include:\r\nEquationLaser: an early implant in use from 2001 to 2004.\r\nDoubleFantasy: a validator-style trojan designed to confirm if the infected person is an intended target. People\r\nwho are confirmed get upgraded to either EquationDrug or GrayFish.\r\nEquationDrug: also known as Equestre, this is a complex attack platform that supports 35 different modules and\r\n18 drivers. It is one of two Equation Group malware platforms to re-flash hard drive firmware and use virtual file\r\nsystems to conceal malicious files and stolen data.\r\nIt was delivered only after a target had been infected with DoubleFantasy and confirmed to be a target. It was\r\nintroduced in 2002 and was phased out in 2013 in favor of the more advanced GrayFish.\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 8 of 20\n\nGrayFish: the successor to EquationDrug and the most sophisticated of all the Equation Group attack platforms.\r\nIt resides completely in the registry and relies on a bootkit to take hold each time a computer starts. Whereas\r\nEquationDrug re-flashed hard drives for six models, GrayFish re-flashed 12 classes of hard drives. GrayFish\r\nexploits a vulnerability in the CloneCD driver ElbyCDIO.sys—and possibly drivers of other programs—to bypass\r\nWindows code-signing requirements.\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 9 of 20\n\nThe VBR means Virtual Boot Record. It is a special area of the disk that is responsible for loading\r\nthe operating system. The Pill is an injected piece of code (“blue pill”, “red pill” – Matrix\r\nreferences) that is responsible for hijacking the OS loading. It works by carefully altering the\r\nloading mechanism to include malicious code that the OS blindly “swallows.”\r\nThe BBSVC service is another GRAYFISH mechanism used when the Pill cannot be injected, for\r\nsome unknown reason. It loads further stages of Grayfish at the time the OS starts. In essence, it’s a\r\nweaker mechanism than the pill, because it exposes one single malicious executable on the hard\r\ndrive of the victims. This is why BBSVC is a polymorphic executable, filled with gibberish and\r\nrandom data to make it hard to detect. The platform kernel “fvexpy.sys” is one of the core\r\ncomponents of Grayfish. It is designed to run in Windows kernel mode and provide functions for\r\nthe platform components.\r\nThe VBR means Virtual Boot Record. It is a special area of the disk that is responsible for loading\r\nthe operating system. The Pill is an injected piece of code (“blue pill”, “red pill” – Matrix\r\nreferences) that is responsible for hijacking the OS loading. It works by carefully altering the\r\nloading mechanism to include malicious code that the OS blindly “swallows.”\r\nThe BBSVC service is another GRAYFISH mechanism used when the Pill cannot be injected, for\r\nsome unknown reason. It loads further stages of Grayfish at the time the OS starts. In essence, it’s a\r\nweaker mechanism than the pill, because it exposes one single malicious executable on the hard\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 10 of 20\n\ndrive of the victims. This is why BBSVC is a polymorphic executable, filled with gibberish and\r\nrandom data to make it hard to detect. The platform kernel “fvexpy.sys” is one of the core\r\ncomponents of Grayfish. It is designed to run in Windows kernel mode and provide functions for\r\nthe platform components.\r\nGrayFish is the crowning achievement of the Equation Group. The malware platform is so complex that\r\nKaspersky researchers still understand only a fraction of its capabilities and inner workings. Key to the\r\nsophistication of GrayFish is its bootkit, which allows it to take extraordinarily granular control of the machines it\r\ninfects.\r\n“This allows it to control the launching of Windows at each stage,” Kaspersky’s written report explained. “In fact,\r\nafter infection, the computer is not run by itself anymore: it is GrayFish that runs it step by step, making the\r\nnecessary changes on the fly.”\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 11 of 20\n\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 12 of 20\n\nFanny: A computer worm that exploited what in 2008 were two zero-day vulnerabilities in Windows to self-replicate each time an infected USB stick was inserted into a targeted computer. The main purpose of Fanny was\r\nto conduct reconnaissance on sensitive air-gapped networks. After infecting a computer not connected to the\r\nInternet, Fanny collected network information and saved it to a hidden area of the USB drive. If the stick was later\r\nplugged in to an Internet-computer, it would upload the data to attacker servers and download any attacker\r\ncommands. If the stick was later plugged into the air-gapped machine, the downloaded commands would be\r\nexecuted. This process would continue each time the stick was switched between air-gapped and Internet-connected machines.\r\nCredit: Kaspersky Lab\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 13 of 20\n\nCredit: Kaspersky Lab\r\nTripleFantasy: A full-featured backdoor sometimes used in tandem with GrayFish.\r\nCredit: Kaspersky Lab\r\nCredit: Kaspersky Lab\r\nMistakes were made\r\nNo matter how elite a hacking group may be, Raiu said, mistakes are inevitable. Equation Group made several\r\nerrors that allowed Kaspersky researchers to glean key insights into an operation that went unreported for at least\r\n14 years.\r\nKaspersky first came upon the Equation Group in March 2014, while researching the Regin software that infected\r\nBelgacom and a variety of other targets. In the process, company researchers analyzed a computer located in the\r\nMiddle East and dubbed the machine “Magnet of Threats” because, in addition to Regin, it was infected by four\r\nother highly advanced pieces of malware, including Turla, Careto/Mask, ItaDuke, and Animal Farm. A never-before-seen sample of malware on the computer piqued researchers’ interest and turned out to be an EquationDrug\r\nmodule.\r\nFollowing the discovery, Kaspersky researchers combed through their cloud-based Kaspersky Security Network\r\nof exploits and infections reported by AV users and looked for similarities and connections. In the following\r\nmonths, the researchers uncovered additional pieces of malware used by Equation Group as well as the domain\r\nnames used to host command channels.\r\nPerhaps most costly to the attackers was their failure to renew some of the domains used by these servers. Out of\r\nthe 300 or so domains used, about 20 were allowed to expire. Kaspersky quickly registered the domains and, over\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 14 of 20\n\nthe past ten months, has used them to “sinkhole” the command channels, a process in which researchers monitor\r\nincoming connections from Equation Group-infected machines.\r\nOne of the most severe renewal failures involved a channel that controlled computers infected by\r\n“EquationLaser,” an early malware platform abandoned around 2003 when antivirus programs began to detect it.\r\nThe underlying domain name remained active for years until one day, it didn’t; Kaspersky acquired it and\r\nEquationLaser-infected machines still report to it.\r\n“It’s really surprising to see there are victims around the world infected with this malware from 12 years ago,”\r\nRaiu said. He continues to see about a dozen infected machines that report from countries that include Russia,\r\nIran, China, and India.\r\nRaiu said 90 percent or more of the command and control servers were closed last year, although some remained\r\nactive as recently as last month.\r\n“We understand just how little we know. It also makes us reflect about how many other things remain\r\nhidden or unknown.”\r\nThe sinkholes have allowed Kaspersky researchers to gather key clues about the operation, including the number\r\nof infected computers reporting to the seized command domains, the countries in which these compromised\r\ncomputers are likely located, and the types of operating systems they run.\r\nAnother key piece of information gleaned by Kaspersky: some machines infected by Equation Group are the\r\n“patients zero” that were used to seed the Stuxnet worm so it would travel downstream and infect Iran’s Natanz\r\nfacility.\r\n“It is quite possible that the Equation Group malware was used to deliver the Stuxnet payload,” Kaspersky\r\nresearchers wrote in their report.\r\nOther key mistakes were variable names, developer account names, and similar artifacts left in various pieces of\r\nEquation Group malware. In the same way cat burglars wear gloves to conceal their fingerprints, attackers take\r\ngreat care to scrub such artifacts out of their code before releasing it. But in at least 13 cases, they failed. Possibly\r\nthe most telling artifact is the string “-standalonegrok_2.1.1.1” that accompanies a highly advanced keylogger tied\r\nto Equation Group.\r\nAnother potentially damaging artifact found by Kaspersky is the Windows directory path of “c:\\users\\rmgree5”\r\nbelonging to one of the developer accounts that compiled Equation Group malware. Assuming the rmgree5 wasn’t\r\na randomly generated account name, it may be possible to link it to a developer’s real-world identity if the handle\r\nhas been used for other accounts or if it corresponds to a developer’s real-world name such as “Richard Gree” or\r\n“Robert Greenberg.”\r\nKaspersky researchers still don’t know what to make of the 11 remaining artifacts, but they hope fellow\r\nresearchers can connect the strings to other known actors or incidents. The remaining artifacts are:\r\nSKYHOOKCHOW\r\nprkMtx – unique mutex used by the Equation Group’s exploitation library (gPrivLibh)\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 15 of 20\n\n“SF” – as in “SFInstall”, “SFConfig”\r\n“UR”, “URInstall” – “Performing UR-specific post-install…”\r\n“implant” – from “Timeout waiting for the “canInstallNow” event from the implant-specific EXE!”\r\nSTEALTHFIGHTER (VTT/82055898/STEALTHFIGHTER/2008-10-16/14:59:06.229-04:00\r\nDRINKPARSLEY – (Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00)\r\nSTRAITACID – (VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00)\r\nLUTEUSOBSTOS – (VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00)\r\nSTRAITSHOOTER – STRAITSHOOTER30.exe\r\nDESERTWINTER – c:\\desert~2\\desert~3\\objfre_w2K_x86\\i386\\DesertWinterDriver.pdb\r\nHacking without a budget\r\nThe money and time required to develop the Equation Group malware, the technological breakthroughs the\r\noperation accomplished, and the interdictions performed against targets leave little doubt that the operation was\r\nsponsored by a nation-state with nearly unlimited resources to dedicate to the project. The countries that were and\r\nweren’t targeted, the ties to Stuxnet and Flame, and the Grok artifact found inside the Equation Group keylogger\r\nstrongly support the theory the NSA or a related US agency is the responsible party, but so far Kaspersky has\r\ndeclined to name a culprit.\r\nUpdate: Reuters reporter Joseph Menn said the hard-drive firmware capability has been confirmed by two former\r\ngovernment employees. He wrote:\r\nA former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the\r\nintelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence\r\noperative confirmed that the NSA had developed the prized technique of concealing spyware in hard\r\ndrives, but said he did not know which spy efforts relied on it.\r\nUpdate: Several hours ater this post went live, NSA officials e-mailed the following statement to Ars:\r\nWe are aware of the recently released report. We are not going to comment publicly on any allegations\r\nthat the report raises, or discuss any details. On January 17, 2014, the President gave a detailed address\r\nabout our signals intelligence activities, and he also issued Presidential Policy Directive 28 (PPD-28).\r\nAs we have affirmed publicly many times, we continue to abide by the commitments made in the\r\nPresident’s speech and PPD-28. The U.S. Government calls on our intelligence agencies to protect the\r\nUnited States, its citizens, and its allies from a wide array of serious threats – including terrorist plots\r\nfrom al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression\r\nagainst ourselves and our allies; and international criminal organizations.\r\nWhat is safe to say is that the unearthing of the Equation Group is a seminal finding in the fields of computer and\r\nnational security, as important, or possibly more so, than the revelations about Stuxnet.\r\n“The discovery of the Equation Group is significant because this omnipotent cyber espionage entity managed to\r\nstay under the radar for almost 15 years, if not more,” Raiu said. “Their incredible skills and high tech abilities,\r\nsuch as infecting hard drive firmware on a dozen different brands, are unique across all the actors we have seen\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 16 of 20\n\nand second to none. As we discover more and more advanced threat actors, we understand just how little we know.\r\nIt also makes us reflect about how many other things remain hidden or unknown.”\r\nDan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer\r\nespionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking,\r\nand following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and\r\nhere on Bluesky. Contact him on Signal at DanArs.82.\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 17 of 20\n\n332 Comments\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 18 of 20\n\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 19 of 20\n\nSource: https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nhttps://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/" ], "report_names": [ "how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "e09a7338-fb16-4e39-b579-c3bfc3140c47", "created_at": "2022-10-25T16:07:24.207294Z", "updated_at": "2026-04-10T02:00:04.899166Z", "deleted_at": null, "main_name": "Snowglobe", "aliases": [ "ATK 8", "Animal Farm", "SIG20", "Snowglobe" ], "source_name": "ETDA:Snowglobe", "tools": [ "Babar", "Casper", "Chocopop", "Dino", "EvilBunny", "Nbot", "TFC", "Tafacalou" ], "source_id": "ETDA", "reports": null }, { "id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8", "created_at": "2023-01-06T13:46:39.131811Z", "updated_at": "2026-04-10T02:00:03.2252Z", "deleted_at": null, "main_name": "ItaDuke", "aliases": [ "DarkUniverse", "SIG27" ], "source_name": "MISPGALAXY:ItaDuke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f", "created_at": "2023-01-06T13:46:38.443779Z", "updated_at": "2026-04-10T02:00:02.977564Z", "deleted_at": null, "main_name": "SNOWGLOBE", "aliases": [ "Animal Farm", "Snowglobe", "ATK8" ], "source_name": "MISPGALAXY:SNOWGLOBE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434357, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb42fe2dbf0b6097876e81c75ddb71c787896b94.pdf", "text": "https://archive.orkl.eu/bb42fe2dbf0b6097876e81c75ddb71c787896b94.txt", "img": "https://archive.orkl.eu/bb42fe2dbf0b6097876e81c75ddb71c787896b94.jpg" } }