Equation Group - NSA spyware on Hard disks. Announced by Kaspersky, Feb 2015. See: Archives\__Tech_Info\__Software_ref\__Computer_security\20160816_NSA_malware_scripts 20150216 http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage Equation Group: The Crown Creator of Cyber-Espionage https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ Equation: The Death Star of Malware Galaxy By GReAT on February 16, 2015. 6:55 pm https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf ====================================================================================== EQUATION Group - hard disk firmware trojan. Very clearly from the NSA --------------------------------------------------------------------- 20150218 http://russia-insider.com/en/business_opinion_society/2015/02/17/3575 Russian Researchers Expose US Spying Program Russian researchers have exposed a secretive NSA cyber-espionage program http://sputniknews.com/us/20150217/1018397423.html Western Digital Claims to Be Unaware of Alleged NSA Spy Program http://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html Destroying your hard drive is the only way to stop this super-advanced malware Kaspersky’s most striking finding is Equation’s ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software. The malware reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains. “Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, in a phone interview Monday. http://www.cbc.ca/news/technology/nsa-hid-spying-software-in-hard-drive-firmware-report-says-1.2959252 NSA hid spying software in hard drive firmware, report says The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives. That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations. Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. http://www.dailymail.co.uk/news/article-2956058/Russian-researchers-expose-breakthrough-U-S-spying-program.htmlRussian researchers expose 'NSA's secret weapon': Outrage at program that enables America to spy on EVERY home computer in the world is uncovered The NSA began infecting computers in 2001 claims Kaspersky, ramping up their efforts in 2008 when President Barack Obama was elected. WRH: The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection. http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/ A Fanny Equation: "I am your father, Stuxnet" Back in 2010, very few people paid much attention to a piece of malware that used the LNK exploit prior to Stuxnet. Zlob is a large malware family and these kinds of crimeware-grade samples are rarely of interest to researchers digging into zero-days and nation-state sponsored operations. However, during our 2014 research into the Equation group, we created a special detection for the group's exploitation library, codenamed "PrivLib". To our surprise, this detection triggered a worm from 2008 that used the Stuxnet LNK exploit to replicate, codenamed Fanny. So, the reason the NSA doesn't hunt down and find the cyber criminals is that the NSA happen to BE the cybercriminals! http://arstechnica.com/security/2015/02/password-cracking-experts-decipher-elusive-equation-group-crypto-hashes/ Password cracking experts decipher elusive Equation Group crypto hash Shortly afterward, Steube and Schmidt cracked the hash. Blocking attacks against visitors bearing the username unregistered is an indication that attackers didn't want to infect visitors who weren't logged in. Instead, the attackers appear to have had specific users in mind. WRH: And the use of the Arabic version of "unregistered" tells us who the intended targets were. http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands. http://www.theinquirer.net/inquirer/news/2395638/kaspersky-fingers-nsa-style-equation-group-for-hard-drive-backdoor-epidemic Kaspersky fingers NSA-style Equation Group for hard drive backdoor epidemic RUSSIAN SECURITY FIRM Kaspersky has exposed what looks like evidence of backdoor surveillance by the US National Security Agency (NSA) Kaspersky researchers claim to have uncovered one of the biggest, if not the biggest, threat actor that it has seen in two decades. The security firm has dubbed this outfit the Equation Group, and its toolbox 'the Death Star of the Malware Galaxy', and explained that the tools of its trade have hallmarks and themes similar to those of Stuxnet. http://www.tomshardware.com/news/kaspersky-equation-group-cyber-threat,28573.html Kaspersky Says 'The Equation Group' Is A Unique And Dangerous Threat http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/ http://uk.reuters.com/article/2015/02/17/uk-usa-cyberspying-idUKKBN0LK1QP20150217 http://investmentwatchblog.com/nsa-trojan-firmware-widespread-u-s-international-tech-reputation-may-suffer-tech-privacy-has-been-a-myth-a-new-stone-age-beckons/ NSA Trojan Firmware Widespread, U.S. International Tech Reputation May Suffer. Tech Privacy has Been a Myth. A New Stone Age Beckons Direct from Kaspersky --------------------- http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage (BEST SUMMARY) Equation Group: The Crown Creator of Cyber-Espionage 20150216 https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ Kaspersky: To learn more about the Equation Group, please read the blog post available at Securelist.com. https://blog.kaspersky.com/equation-hdd-malware/ Indestructible malware by Equation cyberspies is out there – but don’t panic (yet) 20150312 http://sputniknews.com/news/20150312/1019370052.html Researchers from the Russia-based cybersecurity group Kaspersky Lab have uncovered more evidence tying the United States’ National Security Agency to a shadowy group of hackers. ====================================================================================== 20160817 The NSA Malware leak. Related as it seems to be obtained by hacking Equation group. See: __Computer_security\_Malware\20150216_Equation_group http://cryptome.org/ 2016-1458.pdf DNI: Sec For Protecting Domestic Spy Facilities August 18, 2016 2016-1457.zip EQGRP Auction Files Alleged NSA Malware August 17, 2016 (248MB) <--------- 2016-1456.jpg Snowden Tweets on Alleged NSA Malware Hack August 16, 2016 2016-1455.zip Guccifer 2 Hacks DCCC Florida Primaries for #MAGA August 16, 2016 (18MB) 2016-1454.zip NSA Malware Scripts via WikiLeaks August 15, 2016 <--------- 2016-1453.pdf Diane Roark Files Returned, with Exceptions August 15, 2016 2016-1452.pdf Dod Spying on US Persons Factsheet August 13, 2016 2016-1451.zip Guccifer 2 Hacks DCCC for #MAGA August 13, 2016 I've been curious about the recent NSA Equation Group hack. As normal, today I can dl files with no problem from cryptome. EXCEPT today that 2016-1457.zip one. No reponse, times out, etc. So tried it via TOR browser. It's coming in fine, 130Kbits/s. Interesting. Someone doesn't like that file. saved in E:\Caches\tor File is corrupted, but mostly extracts. EQGRP-Auction-Files_1.zip 20160819 tried again, cryptome direct dl working. File is intact: EQGRP-Auction-Files.zip This one also has some explanatory text, and keys for the auction teaser files. The main auction fileset is still encrypted. 20160819 http://www.zerohedge.com/news/2016-08-16/edward-snowden-explains-historic-nsa-hack-escalation-could-get-messy-fast http://www.quickleak.se/KwDmmf9R THE NSA HACKING TOOLS HAVE BEEN DECRYPTED!!! EQGRP-AUCTION.rar http://www7.zippyshare.com/v/Ts54bb2p/file.html EQGRP-AUCTION.rar decrypted Didn't try these yet. Smells like poison click bait.