- Fotolia

Is Equation Group malware a game changer for advanced attack defense?

Equation Group is one of the most advanced cyber-espionage actors out there, so how can the average enterprise defend against its attacks? Expert Nick Lewis explains.

Not only is announcing a new or high-profile attack at a security conference a way to gather significant attention, it may be necessary to get enterprises to take notice.

Kaspersky Lab's presentation, at the Kaspersky Security Analyst Summit in February 2015, on a longstanding advanced persistent threat and cyber-espionage actor called Equation Group, helped get attention for something many enterprises might ignore because they think there is little they can do about it: malware on hard-drive firmware. Enterprises may also assume they don't offer enough value for an attacker to spend such resources on trying to compromise their security.

Either way, the growth and advancement of malware is something enterprises should be aware of and know how to defend against.

In this tip, I'll cover what the Equation Group malware means to enterprises and the defenses that should be used to stop it.

Equation Group: The enterprise effect

While it's true that most enterprises are not at risk of Equation Group attacks given the high-value targets they seem to be after, more enterprises are at risk than one might realize. Kaspersky researchers, who believe the malware is a predecessor to the Stuxnet and Flame attacks, have seen multiple industries targeted by Equation Group since 2001, including government, mass media, transportation and financial institutions. And while many outlets have reported the Equation Group ceased operation, other actors may adopt similar tactics, putting many more at risk of becoming a victim.

Attackers today know to target the weakest link to get a toehold into a network; the Target breach, for example, used an HVAC vendor's credentials to compromise the credit card processing system. Identifying a high-value target can be difficult for an attacker and requires significant resources. However, in some cases, enterprises make it easy for attackers to identify business partners to potentially target. Using "open source" intelligence and social engineering techniques, malicious actors can effectively identify where to attack an enterprise or other high-value target.

The Equation Group malware attack started by compromising the firmware on hard drives from popular manufacturers, including Seagate, Western Digital, Toshiba, Maxtor and IBM. Hard drives -- and many other individual components used in a computer -- have their own firmware used for interfacing with the rest of a system's hardware and software. Firmware needs periodic updates as bugs are found, so customers are given update functionality. The Equation malware was installed on firmware prior to arriving at the target enterprise; pinpointing exactly where in the supply chain it happened is virtually impossible.

After the initial infection, attackers were able to collect data using a number of Trojans and worms that identified when a compromised system connected to a network that could reach the Internet. The worm then sent the data to the attacker's command-and-control systems.

The Equation Group also used a number of other highly sophisticated attack tactics, including using virtual file systems, encrypting malicious files and storing them in multiple parts of an infected registry, redirecting iOS and OS X devices, bridging airgaps and bypassing code-signing restrictions in Windows.

How to defend against advanced malware

Fortunately, most enterprises will not be attacked by malware as sophisticated as that used by the Equation Group. However, since malware will only advance in the future, enterprises would be well-suited to prepare for such attacks.

Defending against firmware attacks should include strong supply chain security to ensure a system isn't compromised before it even arrives. Installing known good firmware and periodically testing firmware security is essential. The inner workings of a computer should also be examined and compared to a known secure system to help identify new circuits or electrical components. Power usage or radio frequency could even be monitored; however, these steps would require significant resources to operate.

Attackers today know to target the weakest link to get a toehold into a network.

Anything that has firmware or is controlled by a computer-like device can be compromised in an advanced malware attack. BIOS security got a lot of attention in April 2011 when NIST released its BIOS protection guidelines and highlighted its potential as another area where an attacker potentially could implant undetectable malware. New BIOS malware research was presented at CanSecWest in March 2015 by Corey Kallenberg and Xeno Kovah to help increase the priority of BIOS security. Earlier this year, x86 processor firmware security was also called into question.

To mitigate hardware attacks, enterprises must keep all components with firmware patched and up to date. Organizations should also consider performing a threat assessment to determine areas that are susceptible to attacks by trusted partners. For example, if a trusted partner provides a preconfigured device for usage on a network that is connected prior to a security evaluation, an attacker could gain the first foothold into the target network. Enterprises may want to place these types of systems onto a limited part of the network to prevent them from being used to attack the rest of the network until they have been evaluated and deemed secure.

Enterprises with high security requirements should ensure partners and others accessing their systems have appropriate security in place, such as basic patching, monitoring and multifactor authentication. If security is uncertain, enterprises could design security controls that assume any system or user connecting to their network is comprised, such as using multifactor authentication to make it more difficult for an attacker to compromise a trusted account, or strong network segmentation to slow an attacker from finding other systems to use to attack an enterprise's network.

While it may be difficult for an enterprise to identify risky business partners, it is a critical step towards defending against advanced threats like the Equation Group malware. Few enterprises will have the proper resources to perform these types of assessments as standalone efforts, but integrating the assessments into their overall information security program could help minimize this effort.

Enterprises that have performed a threat assessment and determined their network is at risk of partner-based attacks may want to specifically monitor potentially troublesome connections and share this data with their partner to improve security.


Attackers will always have the upper hand because they only need one foothold into a network to attack the rest of the soft underbelly of the enterprise.

Simply put, no organization can implement all security controls nor operate all of its systems in Faraday cages with no connections to the outside world, just as a computer buried in a cement hole in the ground isn't very usable.

Enterprises have -- potentially unknowingly -- accepted certain risks by using computers that likely far outweigh their benefits. Enterprises will just need to monitor for new attack methods -- such as modifying the firmware -- to ensure their systems are sufficiently secure.

About the author:
Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Nick received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.

Next Steps

Learn more about the changing face of advanced malware prevention and detection

This was last published in June 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal