Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Government United States

New Evidence Strengthens NSA Ties To Equation Group Malware 129

An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."
This discussion has been archived. No new comments can be posted.

New Evidence Strengthens NSA Ties To Equation Group Malware

Comments Filter:
  • by Anonymous Coward

    I am glad our best and brightest are better than their best and brightest... keeping us safe from cyber-terrorism is a huge priority.

    • Except we're getting caught and they aren't.

      Who's cool now?

    • by plopez ( 54068 )

      Seriously this is sloppy work. Esp. if the dates and ties also correlate to Federal holidays. Haven't they ever heard of scheduled build jobs? Pick a random time in a 24 hour range. Also make sure to cover weekends and holidays.

  • by JoeyRox ( 2711699 ) on Wednesday March 11, 2015 @09:35AM (#49233293)
    Seems like very weak evidence to me, and certainly not a "smoking gun" claimed in the referenced article.
    • by Bonzoli ( 932939 )
      I expect some chechen rebels to confess to helping the NSA very soon. Smoking gun, a snow plow, and a pretty girl.
    • Re: (Score:2, Informative)

      by ve3oat ( 884827 )
      Unless I am mistaken, the Washington, USA, area runs on UTC-5 when on Eastern Standard Time and UTC-4 when on Eastern Daylight Time; never UTC-3 unless someone is working very early hours. So it seems like weak evidence indeed!
      • I was about to pay the exact same thing, only Newfoundland and a few Caribbean islands are UTC -3. It was those canuckistani's I tell you.

      • ...never UTC-3 unless someone is working very early hours. So it seems like weak evidence indeed!

        AFAIK working early doesn't change your timezone, unless you're a pilot or long-distance driver (if it did I probably would have lapped my office a few times by now).

        UTC-3 seems to only cover part of Greenland and Brazil, both well-known hotbeds of hacker activity. I suspect that the timezone information is as accurate as info found in random strings in the malware (BACKSNARF_AB25: darn it, time to change the combination on my luggage again...).

      • by StikyPad ( 445176 ) on Wednesday March 11, 2015 @10:17AM (#49233711) Homepage

        What the summary said was that the timestamps are consistent with an 8-5 day in those time zones, not that the timestamps came from those timezones. Timestamps aren't UTC anything -- they're milliseconds since epoch (generally), and the OS converts on the fly when displaying. I can't speak for the NSA, but core hours are 10-3 for many government workers, and many people go in to the office early to beat traffic. Also, the NSA is under the DoD, and DoD tends to get an early start. All of that is consistent with what one would expect to see.

        And to address the GP, the odds of finding a string that matches a codeword, especially a unique codeword, are very slim. Probably millions to one. You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code. That's the most convincing evidence -- the timestamp stuff is just icing.

        I expect to see future exploits released with standardized timestamps and obfuscated strings.

        • by clonehappy ( 655530 ) on Wednesday March 11, 2015 @10:39AM (#49233945)

          You're not going to find, say, "XKEYSCORE" in Microsoft or Apple source code.

          Ha, are you really sure about that?

        • by tlhIngan ( 30335 )

          What the summary said was that the timestamps are consistent with an 8-5 day in those time zones, not that the timestamps came from those timezones. Timestamps aren't UTC anything -- they're milliseconds since epoch (generally), and the OS converts on the fly when displaying. I can't speak for the NSA, but core hours are 10-3 for many government workers, and many people go in to the office early to beat traffic. Also, the NSA is under the DoD, and DoD tends to get an early start. All of that is consistent w

          • by Gavagai80 ( 1275204 ) on Wednesday March 11, 2015 @11:11AM (#49234273) Homepage

            I mean, are the only software developers who work normal business hours on normal workdays in the Eastern timezone all working for the NSA?

            Very few regular businesses in the eastern USA hire hackers to attack others, so most hackers have much more varied time allocations reflecting that they do it after work / on weekends or are unemployed. The hours strongly suggest employees, so what other employer seems likely to you?

          • XKEYCODE can be found in a very large OSS software package and was there before the NSA even imagined using the letters for themselves.

        • Seems to me that the odds a hacker group would intentionally embed a codeword attributed to another hacker organization to cover his tracks are higher than the odds that the NSA accidentally embedded the same strings in multiple exploits. That's on a relative odds basis. On an absolute basis the odds for either seem rather low and thus IMO the evidence in the article is still very weak.
        • ... Unless it was put there on purpose, to mislead you into thinking ... it was the NSA.

          Seriously, this takes 0 work to make it appear to be the NSA, a 5 minute script could do this to anything, based on the minute level of detail you seem to think is sufficient.

      • by Nyder ( 754090 )

        Unless I am mistaken, the Washington, USA, area runs on UTC-5 when on Eastern Standard Time and UTC-4 when on Eastern Daylight Time; never UTC-3 unless someone is working very early hours. So it seems like weak evidence indeed!

        Funny how this is weak evidence, but stuff like this is what they used to say North Korea hacked Sony.

    • Well, the US was quite happy to use to claim that the coding style was similar so the North Koreans hacked Sony so they've set the bar so low for what "smoking guns" are going to be.

    • by Anonymous Coward

      It includes the name of the program, as known from the Snowden documents, so its a SIGNED CONFESSION.

  • Scenario (Score:4, Interesting)

    by koan ( 80826 ) on Wednesday March 11, 2015 @09:39AM (#49233331)

    Hypothetical Scenario: I work as a coder for the NSA, I work with an extremely talented group, we code the latest, most aggressive malware available.

    We make the Russians look like Girl Scouts.

    How much do you think they pay me?

    How much could I make selling the stuff I code at the NSA to various "businesses".

    Does anyone in that position believe in nationalism?

    • by mwvdlee ( 775178 )

      How much will you be dead and unable-to-ever-be-burried if the NSA finds out?

      • Re:Scenario (Score:4, Funny)

        by koan ( 80826 ) on Wednesday March 11, 2015 @09:54AM (#49233453)

        As much as Snowden is.

      • Assuming the NSA finds out. If your the best the NSA has, and you know all their systems because your the guy who's basicly the NSA, who exists to find you?

        Snowden was the guy. He didn't get caught until he outed himself to give the leaks credibility. Of course if he was doing espionage he just would have kept is mouth shut and accepted money.

        What is more likely, is that NSA contractors have jobs moonlighting for large corporations as intellegence officers an simply use NSA resources at work for their c

    • Re:Scenario (Score:5, Insightful)

      by StikyPad ( 445176 ) on Wednesday March 11, 2015 @10:24AM (#49233773) Homepage

      How much do you think they pay me?

      You can look at the careers on their website. Exploit Engineer pays $64,923 to $96,931. I'm sure that matches up with a GS payscale number somewhere, but I'm too lazy to map it.

      How much could I make selling the stuff I code at the NSA to various "businesses".

      Not much, or at least not for very long. You can bet your ass you sign an ironclad NDA, and if anyone's going to know whether you violated that, it's the NSA.

      Does anyone in that position believe in nationalism?

      Most of them, yes. Employment is actually pretty competitive, and people don't become government employees for the money. Job security, maybe, but the money is usually below average.

      • Actually the money is usually above average [cnn.com].
        • by plopez ( 54068 )

          only because the private sector average is eroding rather rapidly. It was at one time higher pay in the private sector but thanks to 30 years of economic policy that has changed.

        • Compared to the average person in the USA, maybe.

          Compared to the average person in your same field, with your same skills, as an expert coder/hacker/etc? Not even close.

          Federal jobs are great if you're a lower skilled worker, whether office or otherwise (although good luck getting those jobs, as many of the ones the government used to have are now contracted out to save money). The higher your skills, and the more in demand your position, the worse the pay disparity with your counterparts in the private se
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Does anyone in that position believe in nationalism?

        If I didn't believe that most of them do, I wouldn't be so frightened.

        There's no one capable of doing more evil than those who sincerely believe that they're doing good.

      • Sorry guys, I will never use the word "hacker" again now that they are officially called "Exploit Engineers".
      • by HiThere ( 15173 )

        At a guess:
        Almost ALL of them start out believing fervently in US nationalism. They they spend a few decades in internal bureaucracy and become both cynical and disgusted. Some of them become more disgusted, and others become more cynical.

    • Re:Scenario (Score:5, Insightful)

      by Noryungi ( 70322 ) on Wednesday March 11, 2015 @10:57AM (#49234121) Homepage Journal

      My dear friend, you do not understand how these things work.

      You work at NSA, you are always using the latest, newest, biggest, baddest, sweetest technology ever devised by men [nsa.gov]. You literally have computer companies begging you to buy their stuff. For a lot of these people (heck, that may even include me) that is motivation enough.

      AND, if you are discreet about it, you can even be privy to potentially very lucrative [buzzfeed.com] a lot of state secrets [theguardian.com]. Or even personal secrets, who knows? [pcworld.com]. Obviously, if Snowden gave us something, it is the knowledge that NSA is not very good at information compartmentalization...

      But here is the kicker: if you ever decide to leave the NSA, for retirement or otherwise, the private sector (at least the US private sector [bloomberg.com]) will greet you with open arms and pay you a sh*tload of money to work as a consultant or senior manager [cryptome.org]. And we are talking about a SH*TLOAD of money, conflict of interests be damned [bloomberg.com]. You are now one of the big boys, kid, enjoy your (semi-)retirement.

      No need to betray US interests, no need to reveal super secret information: you are NSA. You are above the law. Just leave your morals at the door, please.

      • by koan ( 80826 )

        You don't have the clearance for this thread.

      • by plopez ( 54068 )

        The best hardware, leanest algorithms, most interesting problems, and probably the only group of people within 200 miles that gets your jokes.

  • by Anonymous Coward

    Do me a favour. Spooks putting strings identifying their top secret programme by name into malware? Jesus Christ you people are gullible.

    • by mwvdlee ( 775178 )

      I was thinking just about the same thing.
      Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
      Why would they even include any non-essential things in the code at all?

      • I was thinking just about the same thing.
        Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
        Why would they even include any non-essential things in the code at all?

        Remember nimda virus ? (thats admin backwards)

        NIMDA was a polymorphic plague of a virus that hit out network right after 9/11/2001.

        It would write itself all over every file on the disk drive until the drive was full and everything came to a screeching halt. It exploited the NT web service that was active by group policy default on client boxes with NT and or Win 2000. Anyway, our software engineers looked inside the Nimda.dll and there was some jihad "Death to America, Death to Israel" crap comme

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      > Do me a favour. Spooks putting strings identifying their top secret programme by name [...]

      The alternative is thrilling too: malware authors knowing the names of top-secret NSA programmes (I assume this malware was hacked together pre-Snowden)? Hmmm.

      I don't know the name of the razor to apply here. But it's a hell of a razor, for sure.

    • by Bonzoli ( 932939 )
      Kind of like a PHD student security programmer, accidentally putting in heartbleed in the middle of Xmas when it was automagically accepted in to ssh code, because we do not teach bounds checking to PHD students.
      Hope and Belief.
  • by wiredlogic ( 135348 ) on Wednesday March 11, 2015 @09:51AM (#49233435)

    If they don't bother to change the timestamps to 03/13/37.

    • by SQLGuru ( 980662 )

      Because there's no month 13 (in the Julian calendar) and no day 37 (again, Julian) and I would suspect a lot of hackers don't use the mm/dd/yy notation but the yy/mm/dd notation.

    • by plopez ( 54068 )

      why not 6/31/xxxx ? or 316xxxx

      That would give the security guys a headache.

  • Rats hoisted by their own profiling petard.

  • Maybe someone needs to look up just what parts of the world actually use UTC-0300 [wikipedia.org].

    • So, you work at a government contractor on the East Coast (VA/DC/MD anyone...nah no gov't contractors there). These type of workers start early AM, before most people are awake for the day. 7-8 AM start times are not unheard of. This would coincide with what? A 9-5 workday in UTC-0300 or UTC-0400 you say? No, can't be. The people writing the article really, truly meant the elite uber-hackers of Greenland and Nova Scotia.

      • by Minwee ( 522556 ) <dcr@neverwhen.org> on Wednesday March 11, 2015 @11:35AM (#49234519) Homepage

        "[...] modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones"

        When writing an article of this sort your goal should be to _explain your position_, not to create a math problem which, if solved in the correct manner, suggests what your position could be. If the authors wanted to point to a 7-3 work day in UTC-5, they should have simply said so instead of going out of their way to state something quite different.

        It's not hard.

        Here, it could look something like this:

        "[...] modification timestamps were almost always consistent with a 7-3 workday in the US Eastern timezone (UTC-5), allowing for standard Daylight Savings changes as observed in Virginia, DC and Maryland"

        It should not look like this:

        "[...] modification timestamps were almost always consistent with an 8 PM - 5 AM workday in the UTC+9 time zone, showing that this was clearly the work of North Koreans with insomnia"

        Do you see the difference?

  • by Anonymous Coward

    If you remember when some agent broke into a Linux source repository and added a disguised backdoor attack?

    if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
                    retval = -EINVAL;

    https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/

    Effectively letting them get root, if they passed those flags into the wait4 call.

  • Our NSA had damn well be better than Putin's and LiKeqiang's or all of us in the US are going to be irretrievably harmed.

  • 1. Fake the time stamps to look lile eastern US
    2. Add a well known NSA project name to the code
    3. "Leak" information about these issues.
    4. Profit

    Could this information be a plant to point the finger at the NSA?

  • by Anonymous Coward

    Wasn't the US government condemning the hack of Sony pictures and instituting economic sanctions based on some shaky evidence that North Korea was involved? I wonder what actions the 42 plus countries that have been infected with Equation Group malware should take against the US government.

  • From the article: "Assuming they worked a regular 8 to 5 workday, the timestamps show the employees were likely in the UTC-3 or UTC-4 time zone, a finding that would be consistent with people working in the Eastern part of the US."

    Neither UTC -03:00 nor UTC -04:00 are associated with the Eastern US.

    UTC -03:00 is associated with: Buenos Aires, Montevideo, São Paulo

    UTC -04:00 is associated with: Santiago, La Paz, San Juan de Puerto Rico, Manaus, Halifax

    UTC -05:00, however, is however, associated with Eas

  • If I'm good enough to write a sophisticated and successful piece of malware, maybe I could change the time stamps and plant some not-so-secret codeword in order to trick people into thinking it was created by my adversary. ("False flag.")
  • For a largish project I would suspect that the release builds are run over night, CI builds during the work day.

  • Are they so lame and stuffy that they would not cover their butts?

Never test for an error condition you don't know how to handle. -- Steinbach

Working...