Kaspersky Lab reports on EquationDrug, one of the main espionage platforms used by the Equation Group.
Nation-state sponsored cyberespionage attacks are becoming more sophisticated, targeting carefully defined users with complex, modular tools, and keeping well under the radar of increasingly effective detection systems, Kaspersky Lab experts have discovered.
Kaspersky Lab specialists found that, following the industry’s growing success in exposing advanced persistent threat (APT) groups, the most sophisticated threat actors now focus on increasing the number of components in their malicious platform in order to reduce their visibility and enhance stealth.
The EquationDrug platforms now carry many plugin modules that allow them to select and perform a wide range of different functions, depending on their target victim and information they hold. Kaspersky Lab estimates that EquationDrug includes 116 different plugins.
Ways the nation-state attackers differentiate their tactics from traditional cybercriminals include:
Scale- Traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, while nation-state actors prefer highly targeted, surgical strikes, infecting just a handful of selected users.
Individual approach- While traditional cybercriminals typically reuse publicly available source code such as that of the infamous Zeus or Carberb Trojans, nation-state actors build unique, customized malware, and even implement restrictions that prevent decryption and execution outside of the target computer.
Extracting valuable information- Cybercriminals in general attempt to infect as many users as possible. However they lack the time and storage space to manually check all the machines they infect and to analyze who owns them, what data is stored on them and what software they run – and then to transfer and store all potentially interesting data.