At what point does your own government cross the line and become an evil state? This is what crossed my mind when I read the latest Kaspersky report on the Equation Group, which comes across like the bad guy in a current-generation James Bond film, except it appears tied to the U.S. This is a scary report, showcasing a blended set of attacks that are infecting an impressive 2,000 platforms a month and appear to span all current versions of Windows, the MacOS, and even iOS, as well as much of the world, including the U.S.
I mean, if you wanted to scare people away from both Microsoft and Apple, two of the country’s most successful tech companies, I can’t think of a better way than to create a super virus that compromised privacy and focused on Microsoft’s and Apple’s platforms.
Effectively, the Equation Group is the Google of malware. They go back as early as 1996 and have been putting out an impressive amount of technology across the gamut of keyloggers, Trojans, rootkits, and blends of all three.
The attack tools (that we know of) specifically include:
Equation Drug: A plugin that can be dynamically uploaded and unloaded. Also known as Equestre.
Doublefantasy: A targeted Trojan that confirms the target and then uploads a more aggressive malware tool.
Triplefantasy: A powerful backdoor offering often used in conjunction with another malware tool.
Grayfish: A bootkit and the group’s most powerful known offering residing entirely in the registry.
Fanny: A computer worm that uses vulnerabilities first identified with Stuxnet.
Equationlaser: One of the earlier offerings targeting older versions of Windows.
While Windows clearly has been a primary platform for the attacks, Kaspersky reported that it had tracked activity on both MacOS and iOS as well, suggesting that the attack surface is far broader. Taken together, this means that depending on how long these attacks have truly been going on, somewhere between 1 and 10 million PCs worldwide have been compromised, and a significant sub-set are actively under the control of the malware authors.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
The Bigger Problem
While it is theorized that the U.S. government is behind this attack, the bigger problem is that when militarized software becomes this widely distributed and known, other hostile entities can emulate or modify it and are motivated to do so given its success. It is likely that one or more breaches have already occurred as a result of this software, and that it could become a platform for a broad future breach by those wishing to use the control it provides for nefarious reasons.
When you combine the power of this collective tool kit, communications, IDs, passwords and files on the compromised machines not only become available, the machines can be remotely controlled in order to make it look like access is coming from the authorized user and not the remote attacker. In short, what we have is the equivalent of a master key into millions of PCs and, given the nature of the tools, traditional anti-virus software is unable to either identify or remove it.
This Could Kill the U.S. Tech Market
This software is so difficult to identify, so comprehensive, and so dangerous that it would be easy to conclude that the only safe path would be to avoid all Microsoft and Apple products. Were the world market to agree with this assessment, it could kill much of the U.S. tech market because no one would want to take the risk by using a compromised platform.
However, this isn’t a static attack. Changing platforms would simply shift the Equation Group from these platforms to whatever platform those users who are targeted by the group choose next, because the attackers clearly aren’t going away.
Fear, uncertainty and doubt are a powerful set of perceptions, and this kind of malware spreads FUD like the plague, potentially doing billions of dollars of damage to the U.S. tech market.
Wrapping Up: The U.S. Is Becoming a Hostile State
Were we to attribute these attacks to China, Russia or Iran, we would have no trouble concluding that the behavior is both illegal and dangerous. Unless we are lost in hypocrisy, we have to also conclude that this behavior remains illegal and dangerous if anyone, including the U.S., carries it out. The only true fix is to outlaw this kind of software for everyone and go back to the standard of due process and legal warrants for private information access. This path is far too dangerous, both to the technology market in general and to U.S. interests in particular, and needs to stop regardless of who is doing it and why.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+