Kasperspy vs. Equation Group: Private Corporate Security Links Malware to NSA


In a story that is abstract, hard to grasp and comprised of details and names science fiction writers might be jealous of, Kasperspy is finally able to point an indirect but definite finger at the NSA.

Last Monday, February 16th, at Kasperspy’s  Security Analyst Summit, Kaspersky security researchers were finally prepared to present their findings linking the 15 year old NSA handle, “Equation Group”, to hundreds of files including plug-ins and upgraded variations going back fifteen years. Kasperspy operatives were initially able to identify the nls_933w.dll module by correlating a list of hard drive vendors in part of the code with a list of hardware commonly infected by a piece of code identified five years ago, dubbed the  nls_933w.dll module.

The nls_933w.dll module was very likely written by the same people who worked on the equally ubiquitous malware of initially baffling origin, Stuxnet. If you follow this sort of security news you may have read about stuxnet before. In both cases, this type of malware remains dormant unless called upon by an autonomous piece of code to stop hibernating and perform an unknown set of actions. It’s notoriously difficult to reverse engineer these complex pieces of code.

Vitaly Kamluk is the voicebox for Kaspersky Lab’s Global Research and Analysis Team. He gave the now week-old-but-already-infamous talk, offering several long-coming answers to questions anyone interested in high-level cyber security have been otherwise fruitlessly asking for years. Kamluk explained that the module is in many ways the “ultimate cyberattack tool”. It’s possibly the crowning achievement of the so-called Equation Group. He explained how the available evidence implies Equation group is about 15-years-old and gave detailed reasons why the malware is evidence that the same group responsible for the nls_933w.dll module  must have had confident and confidential knowledge of Stuxnet and Flame.Personally, I have trouble vetting the information to verify Kasperspy’s accusation, and it is difficult to link Equation Group to the NSA. This is the nature of information warfare, though; the people who are great at concealing intentions and information are going to be shrouded in mystery even after someone is able to accuse them. What makes Kasperspy vs. Equation Group so noteworthy is that a private security firm seems to have the clearest understanding of cyberwarfare, out of everyone who has the guts to openly discuss such a formidable potential enemy. Equation Group is known to be behind several security operations of dubious benefit to anyone other than the United States, with targets including the most-feared zero-day exploits that can literally ruin computers, including systems that are running critical military or utility functions for states. Equation Group has been accused without concrete proof of espionage against increasingly sensitive targets. The current list of victims includes governments, energy companies, embassies, telecoms and many other entities, mostly based in Russia, Syria, Iran and Pakistan.

The targets imply Equation Group is acting on behalf of US interests but until people know the endgame of such security violations or the true identity of Equation, there are more questions than answers – probably by design.

Read more about the internet:

World Cyberwar: Six Internet News Stories in 2015 Blur the Line Between Sci Fi and Reality

Jonathan Howard
Jonathan is a freelance writer living in Brooklyn, NY

comments