New smoking gun further ties NSA to omnipotent “Equation Group” hackers

What are the chances unrelated state-sponsored projects were both named "BACKSNARF"?
by Dan Goodin - Mar 11, 2015 6:01am PDT  Ars Technica


Niels Noordhoek

Researchers from Moscow-based Kaspersky Lab have uncovered more evidence tying the US National Security Agency to a nearly omnipotent group of hackers who operated undetected for at least 14 years.

FURTHER READING
HOW “OMNIPOTENT” HACKERS TIED TO NSA HID FOR 14 YEARS—AND WERE FOUND AT LAST

"Equation Group" ran the most advanced hacking operation ever uncovered.The Kaspersky researchers once again stopped short of saying the hacking collective they dubbed Equation Group was the handiwork of the NSA, saying only that the operation had to have been sponsored by a nation-state with nearly unlimited resources to dedicate to the project. Still, they heaped new findings on top of a mountain of existing evidence that already strongly implicated the spy agency. The strongest new tie to the NSA was the string "BACKSNARF_AB25" discovered only a few days ago embedded in a newly found sample of the Equation Group espionage platform dubbed "EquationDrug." "BACKSNARF," according to page 19 of this undated NSA presentation, was the name of a project tied to the NSA's Tailored Access Operations.



"BACKSNARF" joins a host of other programming "artifacts" that tied Equation Group malware to the NSA. They include "Grok," "STRAITACID," and "STRAITSHOOTER." Just as jewel thieves take pains to prevent their fingerprints from being found at their crime scenes, malware developers endeavor to scrub usernames, computer IDs, and other text clues from the code they produce. While the presence of the "BACKSNARF" artifact isn't conclusive proof it was part of the NSA project by that name, the chances that there were two unrelated projects with nation-state funding seems infinitesimally small.

Kaspersky Lab
The code word is included in a report Kaspersky published Wednesday detailing new technical details uncovered about Equation Group. Among other new data included in the report, the timestamps stored inside the Equation Group malware showed that members overwhelmingly worked Monday through Friday and almost never on Saturdays or Sundays. The hours in the timestamps appeared to show members working regular work days, an indication they were part of an organized software development team. Assuming they worked a regular 8 to 5 workday, the timestamps show the employees were likely in the UTC-3 or UTC-4 time zone, a finding that would be consistent with people working in the Eastern part of the US. The Kaspersky report discounted the possibility the timestamps were intentionally manipulated, since the years listed in various executable files appeared to match the availability of computer platforms the files ran on.

Previously found evidence suggesting a possible connection to the NSA included the Equation Group's aptitude for conducting interdictions that in 2009 placed highly advanced malware on a CD-ROM sent to a prestigious researcher who attended a scientific conference. That interdiction was similar to an NSA-sponsored one detailed in documents leaked by former NSA subcontractor Edward Snowden thatinstalled covert implant firmware on a Cisco Systems router as it was being shipped to its unwitting customer. Still other ties included zero-day vulnerabilities shared between Equation Group malware and the NSA-led Stuxnet worm that sabotaged Iranian uranium enrichment efforts in 2009 or so. The countries that were and were not targeted are also consistent with Equation Group being a US-sponsored project.

Most of the new details included in Tuesday's report will be of interest only to hard-core researchers. Still, they only bolster previous findings that Equation Group was hands down the world's most advanced hacking operation ever to come to light. Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike. Readers can expect more revelations to come as researchers continue to analyze new samples and further examine the malware that has already come to light.