Mistakes were made
No matter how elite a hacking group may be, Raiu said, mistakes are inevitable. Equation Group made several errors that allowed Kaspersky researchers to glean key insights into an operation that went unreported for at least 14 years.
Kaspersky first came upon the Equation Group in March 2014, while researching the Regin software that infected Belgacom and a variety of other targets. In the process, company researchers analyzed a computer located in the Middle East and dubbed the machine "Magnet of Threats" because, in addition to Regin, it was infected by four other highly advanced pieces of malware, including
Turla,
Careto/Mask, ItaDuke, and Animal Farm. A never-before-seen sample of malware on the computer piqued researchers' interest and turned out to be an EquationDrug module.
Following the discovery, Kaspersky researchers combed through their cloud-based Kaspersky Security Network of exploits and infections reported by AV users and looked for similarities and connections. In the following months, the researchers uncovered additional pieces of malware used by Equation Group as well as the domain names used to host command channels.
Perhaps most costly to the attackers was their failure to renew some of the domains used by these servers. Out of the 300 or so domains used, about 20 were allowed to expire. Kaspersky quickly registered the domains and, over the past ten months, has used them to "sinkhole" the command channels, a process in which researchers monitor incoming connections from Equation Group-infected machines.
One of the most severe renewal failures involved a channel that controlled computers infected by "EquationLaser," an early malware platform abandoned around 2003 when antivirus programs began to detect it. The underlying domain name remained active for years until one day, it didn't; Kaspersky acquired it and EquationLaser-infected machines still report to it.
"It's really surprising to see there are victims around the world infected with this malware from 12 years ago," Raiu said. He continues to see about a dozen infected machines that report from countries that include Russia, Iran, China, and India.