NSA, Unit 8200, and Malware Proliferation

How much you pay for enemies cyber weapons?
We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group.
Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems?

The above quote comes from the Shadowbrokers announcement on Pastebin, which accompanied its data dump of Equation Group malware on August 13, 2016.

The archive of data provided by Shadowbrokers has been confirmed as genuine by two sources: Kaspersky Lab researchers who compared it to their collection of Equation Group malware and The Intercept, who referenced it against heretofore undisclosed NSA files provided to them by Edward Snowden.

This unprecedented discovery marks the first time in history that a national intelligence service‘s cyber operations including targets and malware have been so definitively exposed. Unfortunately, it wasn’t China’s Ministry of State Security or Russia’s Federal Security Service that this has happened to. It was the United States’ National Security Agency (NSA).

Source: Equation Group Questions and Answers v.1.5 Feb 2015

Kaspersky Lab’s Global Analysis and Research Team identified about a half dozen specific exploits used by the Equation Group (i.e., NSA) in their 2015 report “Equation Group: Questions and Answers” (.pdf):

  • Windows Kernel EoP exploit used in Stuxnet 2009 (atempsvc.ocx), fixed with MS09–025. (CVE unknown)
  • TTF exploit fixed with MS12–034 (possibly CVE-2012–0159)
  • TTF exploit fixed with MS13–081 (possibly CVE-2013–3894)
  • LNK vulnerability as used by Stuxnet. (CVE-2010–2568)
  • CVE-2013–3918 (Internet Explorer)
  • CVE-2012–1723 (Java)
  • CVE-2012–4681 (Java)

Made in China, Used in Afghanistan

Kaspersky Lab’s report identified CVE-2013–3918, which was originally used by the APT group behind the 2009 Aurora attack; an attack that Mandiant and the U.S. Justice Department attributed to China’s PLA Unit 61398. The NSA assisted Google in investigating that attack, and apparently decided to re-purpose the malware to target government users in Afghanistan.

Think about the challenge of attributing Chinese-made malware to a U.S. intelligence agency. Who would even bother to make that leap after all the hype about APT1?

From Russian Cybercriminals To Fort Meade For Repurposing

Both Java exploits in Kaspersky’s Equation Group report (CVE-2012–1723 and CVE-2012–4681) were found in the Blackhole exploit kit by security researcher Kafeine (here and here). The Blackhole exploit kit was a very lucrative crimeware-as-a-service product that generated millions of dollars in proceeds by redirecting unsuspecting victims through a targeted spam campaign to malicious websites that look authentic.

Source: TrendMicro Research Paper 2012 “Blackhole Exploit Kit”

Blackhole and a related product called Cool were both developed by Dmitry “Paunch” Fedotov and his associates from 2010 until October 4, 2013 when Paunch and some of the members of his team were arrested by Russian authorities. It was also in 2013, that Equation Group started using these exploits according to Kaspersky Lab’s GReAT team director Costin Raiu in an email to the author.

CVE-2012–4681 (a severe Java Zero-day exploit) was first announced by FireEye on August 26, 2012. Less than 24 hours later, Paunch announced that a new 0-day Java exploit had been added to Blackhole.

Source: Malware Don’t Need Coffee blog

While it isn’t clear how Paunch obtained either of those exploits, we do know that he was willing to pay from $100,000 to $450,000 for them through a malware broker named “J.P. Morgan”, who posted announcements like these in both English and Russian on various hacker forums:

English version of Jan 17, 2013 post (Credit Group-IB)
Russian language version of Jan 17, 2013 post (Credit Group-IB)
English version of Oct 13, 2013 Post (Credit KrebsonSecurity)

The Russian cybersecurity firm Group-IB, who assisted the Russian police in their investigation, have done extensive research on the group. I contacted them to ask about “J.P. Morgan” and was told that his identity is still unknown. J. P. Morgan’s Jabber contact email gugusik@thesecure.biz was created by Paunch for the use of a third party, according to one of Group-IB’s executives in an email with the author. Since the Oct 13, 2013 Darkode forum post pictured above is dated after Paunch’s arrest, it isn’t clear if “J.P. Morgan” was a sock created by Paunch to handle the purchase of exploits or if he was a person that Paunch was fronting for.

Linguistic Analysis

I asked our Chief Scientist Dr. Shlomo Argamon of IIT to do a quick linguistic analysis of the above posts, and he was able to create the following profile, with the help of native language informants.

ANALYSIS: The author of both posts is most likely the same person. This individual’s mother tongue is most likely Russian, but they have probably been living in a non-Russian speaking environment for some years.

They have strong English skills, and their English is slightly more likely to be of British/Commonwealth origin than of US origin.

They are educated, possibly with a university degree, and may have had experience in either advertising or the British military, based on the use of the word “flog” to mean “sell”.

The individual is likely involved in hacking and/or cybersecurity in a Russian context, as the Russian word they used for exploit (сплойтов) specifically means technical exploit, rather than the general meaning “to exploit something.”

From Israel to Russian Cybercriminals

Although the Shadowbrokers’ Pastebin announcement conflated Duqu and Flame with the Equation Group, Kaspersky Lab disagrees. Costin told me:

“It is our opinion — previously explained in our EQ group analysis — that the Duqu group and the Equation group are two different entities. The link between them comes through Stuxnet, which used two zero days that were previously used by the EQ group malware FANNY.
“To clarify the answer, we consider Duqu and Equation as different groups”.

Since even Israel has acknowledged that they were involved in the creation of Stuxnet, I think that its reasonable to say that Duqu was allegedly developed by Israel’s Unit 8200.

One of Duqu’s zero-days (CVE-2011–3402) was discovered by Kafeine in the Cool Exploit Kit and shortly thereafter appeared in the Blackhole Exploit Kit. Paunch confirmed with Brian Krebs that he owned both products.

Proliferation and Attribution

If anything good can come from the Shadowbrokers’ dump of NSA malware, I hope it will be the realization that malware created as tools for attack and espionage cannot be contained; that proliferation is a much larger problem than anyone imagined; and that attribution on the basis of who the developer is, is even more unreliable post-Shadowbrokers than it was before.

Perhaps the time has come for the U.N. Security Council to consider drafting a nonproliferation resolution for cyber weapons similar to its Resolution 1540 which places obligations on states to have and enforce measures preventing the proliferation of nuclear weapons to non-state actors:

All UN Member States have three primary obligations under UNSC Resolution 1540 (2004), to:

  • prohibit support to non-state actors seeking WMD and their means of delivery;
  • adopt and enforce effective laws prohibiting activities involving the proliferation of WMD and their means of delivery to non-state actors; and,
  • have and enforce effective measures to reduce the vulnerability of many legitimate activities to misuse in ways that would foster the proliferation of WMD and their means of delivery to non-state actors.

I fear that this is just the tip of the iceberg, and I hope that this problem will get the attention and research that it deserves.

I’d like to thank my partner and colleague Dr. Shlomo Argamon as well as Brian Krebs, Kafeine, Sam Biddle, Jeffrey Lewis, and the teams at Group-IB and Kaspersky Lab for taking time away from their busy days to help me with my research for this article.