Code name found in Equation malware suggests link to NSA

As security researchers continue to analyze malware used by a sophisticated espionage group dubbed the Equation, more clues surface that point to the U.S. National Security Agency being behind it.

In February, Russian antivirus firm Kaspersky Lab released an extensive report about a group that has carried out cyberespionage operations since at least 2001 and possibly even as far back as 1996. The report detailed the group’s attack techniques and malware tools.

The Kaspersky researchers have dubbed the group Equation and said that its capabilities are unrivaled. However, they didn’t link the group to the NSA or any other intelligence agency, despite similarities between its tools and those described in secret NSA documents leaked by Edward Snowden.

Kaspersky found code names like SKYHOOKCHOW, DRINKPARSLEY, LUTEUSOBSTOS, STRAITACID, STRAITSHOOTER in the malware used by the Equation group. While these were not a direct match to NSA code names known so far, they bear a striking resemblance to some of them.

A secret document leaked by Snowden and published by German news magazine Der Spiegel contains a list of project names from NSA’s Tailored Access Operations (TAO) division. The list includes names like SKYJACKBRAD, DRINKMINT and LUTEUSASTRO. According to a different document, the NSA has a malware implant called STRAITBIZZARE and refers to computers infected with it as QUANTUM shooters. It also has a program called FOXACID.

The Kaspersky researchers found an Equation malware component called “standalonegrok.” According to a December report in The Intercept, the NSA has a keylogger named GROK.

However, the most direct link came Wednesday, when Kaspersky Lab published a technical analysis of the main malware framework used by the Equation group. In the report, the company’s researchers revealed another code name recently found in the malware: BACKSNARF_AB25. The BACKSNARF code name is listed in the previously mentioned document about NSA TAO projects.

The malware platform, which was dubbed EquationDrug, has a modular architecture and resembles a mini operating system, the Kaspersky researchers said. So far 30 of its plug-ins have been found, but the platform might have more than 115 modules, each implementing different functionality.

Statistics based on compilation time stamps found in the EquationDrug samples collected so far suggest that its developers are working almost exclusively from Monday to Friday and are likely located in the UTC-3 or UTC-4 time zones, if we assume that they start work at 8 or 9 am. Time stamps in malware samples are not always reliable, because developers can alter them, but in the case of EquationDrug, the Kaspersky researchers believe they look “very realistic.”