{ "id": "b708f259-d83a-44f6-98d6-a646039b5adf", "created_at": "2026-04-06T00:13:50.318524Z", "updated_at": "2026-04-10T03:29:45.378032Z", "deleted_at": null, "sha1_hash": "d8b14bfad056686a1ea970272247f31aaab3fba6", "title": "Equation Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 179086, "plain_text": "Equation Group\r\nBy Contributors to Wikimedia projects\r\nPublished: 2015-02-16 · Archived: 2026-04-05 18:06:46 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nEquation Group\r\nType Advanced persistent threat\r\nProducts\r\nStuxnet\r\nFlame\r\nEternalBlue\r\nParent organization\r\nNational Security Agency\r\nSignals Intelligence Directorate\r\nTailored Access Operations\r\nThe Equation Group, also known in China as APT-C-40,\r\n[1][2]\r\n is a highly sophisticated threat actor suspected of\r\nbeing tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA).[3]\r\n[4][5]\r\n Kaspersky Labs describes them as one of the most sophisticated advanced persistent threats in the world and\r\n\"the most advanced (...) we have seen\", operating alongside the creators of Stuxnet and Flame.\r\n[6][7]\r\n Most of their\r\ntargets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.\r\n[7]\r\nThe name originated from the group's extensive use of encryption. By 2015, Kaspersky documented 500 malware\r\ninfections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of\r\nthousands due to its self-terminating protocol.[7][8]\r\nIn 2017, WikiLeaks published a discussion held within the CIA on how it had been possible to identify the group.\r\n[9]\r\n One commenter wrote that \"the Equation Group as labeled in the report does not relate to a specific group but\r\nrather a collection of tools\" used for hacking.[10]\r\nAt the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky Lab announced its\r\ndiscovery of the Equation Group. According to Kaspersky Lab's report, the group has been active since at least\r\n2001, with more than 60 actors.[11] The malware used in their operations, dubbed EquationDrug and GrayFish,\r\nwas found to be capable of reprogramming hard disk drive firmware.\r\n[6]\r\n Because of the advanced techniques\r\ninvolved and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab has not\r\nidentified the actors behind the group.\r\nhttps://en.wikipedia.org/wiki/Equation_Group\r\nPage 1 of 5\n\nProbable links to Stuxnet and the NSA\r\n[edit]\r\nIn 2015 Kaspersky's research findings on the Equation Group noted that its loader, \"GrayFish\", had similarities to\r\na previously discovered loader, \"Gauss\",[repository] from another attack series, and separately noted that the\r\nEquation Group used two zero-day attacks later used in Stuxnet; the researchers concluded that \"the similar type\r\nof usage of both exploits together in different computer worms, at around the same time, indicates that the\r\nEQUATION group and the Stuxnet developers are either the same or working closely together\".[12]: 13 \r\nThey also identified that the platform had at times been spread by interdiction (interception of legitimate CDs sent\r\nby a scientific conference organizer by mail),[12]: 15  and that the platform had the \"unprecedented\" ability to infect\r\nand be transmitted through the hard drive firmware of several major hard drive manufacturers, and create and use\r\nhidden disk areas and virtual disk systems for its purposes, a feat which would require access to the manufacturer's\r\nsource code to achieve,[12]: 16–18  and that the tool was designed for surgical precision, going so far as to exclude\r\nspecific countries by IP and allow targeting of specific usernames on discussion forums.\r\n[12]: 23–26 \r\nCodewords and timestamps\r\n[edit]\r\nThe NSA codewords \"STRAITACID\" and \"STRAITSHOOTER\" have been found inside the malware. In addition,\r\ntimestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in\r\nwhat would correspond to an 08:00–17:00 (8:00 AM - 5:00 PM) workday in an Eastern United States time zone.\r\n[13]\r\nKaspersky's global research and analysis team, otherwise known as GReAT, claimed to have found a piece of\r\nmalware that contained Stuxnet's \"privLib\" in 2008.[14] Specifically it contained the LNK exploit found in Stuxnet\r\nin 2010. Fanny is classified as a worm that affects certain Windows operating systems and attempts to spread\r\nlaterally via network connection or USB storage.\r\n[repository]\r\n Kaspersky stated that they suspect that the Equation\r\nGroup has been around longer than Stuxnet, based on the recorded compile time of Fanny.\r\n[6]\r\nhttps://en.wikipedia.org/wiki/Equation_Group\r\nPage 2 of 5\n\nThe NSA's listing of its Tailored Access Operations program named IRATEMONK from the NSA\r\nANT catalog.\r\nF-Secure claims that the Equation Group's malicious hard drive firmware is TAO program \"IRATEMONK\",[15]\r\none of the items from the NSA ANT catalog exposed in a 2013 Der Spiegel article. IRATEMONK provides the\r\nattacker with the ability to have their software application persistently installed on desktop and laptop computers,\r\ndespite the disk being formatted, its data erased or the operating system re-installed. It infects the hard drive\r\nfirmware, which in turn adds instructions to the disk's master boot record that causes the software to install each\r\ntime the computer is booted up.\r\n[16]\r\n It is capable of infecting certain hard drives from Seagate, Maxtor, Western\r\nDigital, Samsung,\r\n[16]\r\n IBM, Micron Technology and Toshiba.\r\n[6]\r\n2016 breach of the Equation Group\r\n[edit]\r\nIn August 2016, a hacking group calling itself \"The Shadow Brokers\" announced that it had stolen malware code\r\nfrom the Equation Group.[17] Kaspersky Lab noticed similarities between the stolen code and earlier known code\r\nfrom the Equation Group malware samples it had in its possession including quirks unique to the Equation\r\nGroup's way of implementing the RC6 encryption algorithm, and therefore concluded that this announcement is\r\nlegitimate.[18] The most recent dates of the stolen files are from June 2013, thus prompting Edward Snowden to\r\nspeculate that a likely lockdown resulting from his leak of the NSA's global and domestic surveillance efforts\r\nstopped The Shadow Brokers' breach of the Equation Group. Exploits against Cisco Adaptive Security Appliances\r\nand Fortinet's firewalls were featured in some malware samples released by The Shadow Brokers.\r\nEXTRABACON, a Simple Network Management Protocol exploit against Cisco's ASA software, was a zero-day\r\nexploit as of the time of the announcement. Juniper also confirmed that its NetScreen firewalls were affected.[20]\r\nThe EternalBlue exploit was used to conduct the damaging worldwide WannaCry ransomware attack.\r\n2022 alleged Northwestern Polytechnical University hack\r\nhttps://en.wikipedia.org/wiki/Equation_Group\r\nPage 3 of 5\n\n[edit]\r\nIn 2022, an investigation conducted by the Chinese National Computer Virus Emergency Response Center [zh]\r\n(CVERC) and computer security firm Qihoo 360 attributed an extensive cyber attack on China's Northwestern\r\nPolytechnical University (NPU) to the NSA's Office of Tailored Access Operations (TAO),[2][21] compromising\r\ntens of thousands of network devices in China over the years and exfiltrating over 140GB of high-value data.[21]\r\nThe CVERC alleged that the attack involved a \"longer period of preparatory work\", setting up an anonymized\r\nattack infrastructure by leveraging SunOS zero-days to compromise institutions with large network traffic in 17\r\ncountries, 70% of which neighbored China. Those compromised machines were used as \"springboards\" to gain\r\naccess into the NPU by leveraging man-in-the-middle and spear-phishing attacks against students and teachers.\r\nThe report also claims the NSA had used two cover companies, \"Jackson Smith Consultants\" and \"Mueller\r\nDiversified Systems\", to purchase US-based IP addresses that would later be used in the FOXACID platform to\r\nlaunch attacks on the Northwestern.[2][21]\r\nCVERC and 360 identified 41 different tools and malware samples during forensic analysis, many of which were\r\nsimilar or consistent with TAO weapons exposed in the Shadow Brokers leak. Investigators also attributed the\r\nattack to the Equation Group due to a mixture of attack times, human errors and American English keyboard\r\ninputs. Forensic analysis on one of the tools, called \"NOPEN\", which required human input, indicated that 98% of\r\nall attacks occurred during U.S. working hours, with no cyber-attacks being logged during weekends or during\r\nAmerican holidays such as Memorial Day and Independence Day.\r\n[2]\r\nGlobal surveillance disclosures (2013–present)\r\nUnited States intelligence operations abroad\r\nFirmware hacking\r\n1. ^ Ionut Arghire (21 February 2025). \"How China Pinned University Cyberattacks on NSA Hackers\".\r\nSecurity Week. Retrieved 10 May 2025.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Lina Lau (18 February 2025). \"An inside look at NSA (Equation Group) TTPs from\r\nChina's lense\". Retrieved 10 May 2025.\r\n3. ^ Fox-Brewster, Thomas (February 16, 2015). \"Equation = NSA? Researchers Uncloak Huge 'American\r\nCyber Arsenal'\". Forbes. Retrieved November 24, 2015.\r\n4. ^ Menn, Joseph (February 17, 2015). \"Russian researchers expose breakthrough U.S. spying program\".\r\nReuters. Retrieved November 24, 2015.\r\n5. ^ \"The nsa was hacked snowden documents confirm\". The Intercept. 19 August 2016. Retrieved 19 August\r\n2016.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n GReAT (February 16, 2015). \"Equation: The Death Star of Malware Galaxy\".\r\nSecurelist.com. Kaspersky Lab. Retrieved August 16, 2016. “SecureList, Costin Raiu (director of\r\nKaspersky Lab's global research and analysis team): \"It seems to me Equation Group are the ones with the\r\ncoolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are\r\noriginally available only to the Equation Group people. Equation Group are definitely the masters, and\r\nthey are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to\r\nintegrate into Stuxnet and Flame.\"”\r\nhttps://en.wikipedia.org/wiki/Equation_Group\r\nPage 4 of 5\n\n7. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Goodin, Dan (February 16, 2015). \"How \"omnipotent\" hackers tied to NSA hid for 14\r\nyears—and were found at last\". Ars Technica. Retrieved November 24, 2015.\r\n8. ^ Kirk, Jeremy (17 February 2015). \"Destroying your hard drive is the only way to stop this super-advanced malware\". PCWorld. Retrieved November 24, 2015.\r\n9. ^ Goodin, Dan (7 March 2017). \"After NSA hacking exposé, CIA staffers asked where Equation Group\r\nwent wrong\". Ars Technica. Retrieved 21 March 2017.\r\n10. ^ \"What did Equation do wrong, and how can we avoid doing the same?\". Vault 7. WikiLeaks. Retrieved 21\r\nMarch 2017.\r\n11. ^ \"Equation Group: The Crown Creator of Cyber-Espionage\". Kaspersky Lab. February 16, 2015.\r\nRetrieved November 24, 2015.\r\n12. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"Equation Group: Questions and Answers (Version: 1.5)\" (PDF). Kaspersky Lab.\r\nFebruary 2015. Archived from the original (PDF) on February 17, 2015. Retrieved November 24, 2015.\r\n13. ^ Goodin, Dan (March 11, 2015). \"New smoking gun further ties NSA to omnipotent \"Equation Group\"\r\nhackers\". Ars Technica. Retrieved November 24, 2015.\r\n14. ^ \"A Fanny Equation: \"I am your father, Stuxnet\"\". Kaspersky Lab. February 17, 2015. Retrieved\r\nNovember 24, 2015.\r\n15. ^ \"The Equation Group Equals NSA / IRATEMONK\". F-Secure Weblog : News from the Lab. February 17,\r\n2015. Retrieved November 24, 2015.\r\n16. ^ Jump up to: a\r\n \r\nb\r\n Schneier, Bruce (January 31, 2014). \"IRATEMONK: NSA Exploit of the Day\". Schneier\r\non Security. Retrieved November 24, 2015.\r\n17. ^ Goodin, Dan (August 15, 2016). \"Group claims to hack NSA-tied hackers, posts exploits as proof\". Ars\r\nTechnica. Retrieved August 19, 2016.\r\n18. ^ Goodin, Dan (August 16, 2016). \"Confirmed: hacking tool leak came from \"omnipotent\" NSA-tied\r\ngroup\". Ars Technica. Retrieved August 19, 2016.\r\n19. ^ Pauli, Darren (August 24, 2016). \"Equation Group exploit hits newer Cisco ASA, Juniper Netscreen\".\r\nThe Register. Retrieved August 30, 2016.\r\n20. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"西北工业大学遭美国NSA网络攻击事件调查报告(之一)\" (in Chinese). National\r\nComputer Virus Emergency Response Center. 5 September 2022. Retrieved 11 May 2025.\r\nEquation Group: Questions and Answers by Kaspersky Lab, Version: 1.5, February 2015\r\nA Fanny Equation: \"I am your father, Stuxnet\" by Kaspersky Lab, February 2015\r\nfanny.bmp source - at GitHub, November 30, 2020\r\nTechnical Write-up - at GitHub, February 10, 2021\r\nSource: https://en.wikipedia.org/wiki/Equation_Group\r\nhttps://en.wikipedia.org/wiki/Equation_Group\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://en.wikipedia.org/wiki/Equation_Group" ], "report_names": [ "Equation_Group" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434430, "ts_updated_at": 1775791785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8b14bfad056686a1ea970272247f31aaab3fba6.pdf", "text": "https://archive.orkl.eu/d8b14bfad056686a1ea970272247f31aaab3fba6.txt", "img": "https://archive.orkl.eu/d8b14bfad056686a1ea970272247f31aaab3fba6.jpg" } }