Purported CIA documents leaked Tuesday appear to confirm that the U.S. National Security Agency and one of CIA’s own divisions were responsible for the malware tools and operations attributed to a group that security researchers have dubbed the Equation.
The Equation’s cyberespionage activities were documented in February 2015 by researchers from antivirus vendor Kaspersky Lab. It is widely considered to be the most advanced cyberespionage group in the world based on the sophistication of its tools and the length of its operations, some possibly dating as far back as 1996.
From the start, the tools and techniques used by the Equation bore a striking similarity to those described in secret documents leaked in 2013 by former NSA contractor Edward Snowden. This relationship was further strengthened by the similarity between various code names found in the Equation malware and those in the NSA files.
The new CIA documents leaked by WikiLeaks include a 2015 discussion between members of the agency’s Technical Advisory Council following Kaspersky’s analysis of the Equation group.
The discussion focused mostly on what the Equation did wrong that allowed Kaspersky’s researchers to establish relationships between various tools and link them to the group. The goal was for the CIA’s own cyber teams to learn from those mistakes and avoid them in their own tools and operations.
The Equation’s errors identified during the discussion included the use of custom cryptographic implementations instead of relying on standard libraries like OpenSSL or Microsoft’s CryptoAPI, leaving identifying strings in the program database (PDB), the use of unique mutexes, and the reuse of exploits.
“The ‘custom’ crypto is more of NSA falling to its own internal policies/standards which came about in response to prior problems,” one team member said during the discussion. “In the past, there were crypto issues where people used 0 [initialization vectors] and other miss-configurations. As a result, the NSA crypto guys blessed one library as the correct implementation and everyone was told to use that.”
“The Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools (mostly TAO some IOC),” another member wrote.
TAO is a reference to the NSA’s Office of Tailored Access Operations, a large division that specializes in the creation of hacking tools for infiltrating foreign computer systems. Meanwhile, IOC refers to the Information Operations Center, a CIA division that, according to a leaked 2013 budget justification for intelligence agencies, has shifted focus from counterterrorism to cyberespionage in recent years.
The CIA analysis of Kaspersky’s Equation report highlights how hackers can learn to better hide their attacks based on research published by security companies. This raises the question of whether security vendors and independent researchers should be so forthcoming with the methods they use to establish links between malware tools.
“It is a proven fact that attackers learn from public analyses, and this is something that all researchers consider when publishing material,” researchers from Kaspersky Lab said in an emailed statement. “It is a calculated risk. Of course, not all companies choose to disclose all their findings. Some companies prefer to keep some of the details for private reports, or not to create a report at all.”
“We believe that, going forward, a balance will be achieved between the amount of publicly disclosed information (just enough to highlight the risks and raise awareness) and the amount of information kept private (to allow for the discovery of future attacks),” the Kaspersky researchers said.
According to them, this new information ties into the escalating cyber arms race that has been going on since 2012 and shows no signs of slowing down.