Researchers at the Russian cybersecurity firm Kaspersky have revealed more evidence that could tie the U.S. National Security Agency to the Equation Group, a band of hackers believed to be responsible for hundreds of hacking incidents in 42 countries. Kaspersky didn't directly accuse the NSA, but did say the group appeared to have help from a nation-state because they worked with the “sophistication of a space station.”
The Equation Group overwhelmingly worked Monday through Friday between 8 a.m. and 5 p.m. Eastern time and almost never on the weekends, according to timestamps published in a new Kaspersky report Wednesday. Kaspersky also discovered a string of programming language used by the Equation Group called “BACKSNARF_AB25.” That name bears a striking resemblance to the NSA's Tailored Access Operations project called “BACKSNARF,” laid out in an undated NSA slide presentation.
“It is clear that nation-state attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage tools,” the report states.
“While traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, nation-states create automatic systems infecting only selected users. While traditional cybercriminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and even implement restrictions preventing decryption and execution outside of the target computer.”
Much of the information published in the Kaspersky report is highly technical, but it adds onto a slew of evidence that seems to point to the NSA as the Equation Group's puppet master. Researchers have connected previous, seemingly unrelated disclosures to suggest the Equation Group placed malicious software on a CD-ROM in an attempt to infect a target, the same method the NSA has previously used, according to leaks from former NSA contractor Edward Snowden. Perhaps even more suspicious, the Equation Group has been accused of deploying zero-day vulnerabilities similar to the Stuxnet worm the NSA used against Iran.