Computer security company Kaspersky has discovered a collection of very advanced malware that can be linked to the NSA. The group has been active since 2001 and Kaspersky calls the group behind the malware "The Equation Group". According to Kaspersky this group is responsible for the most advanced malware it has ever seen.
The collection of malware deployed the Equation Group is able to takeover the computer as soon as it starts, according to Kaspersky. The group has reportedly even developed specific malware to rewrite the firmware of hard disk drives of many large brands and many disk types.
This should make it possible for other malware to reinstall itself over and over again, even when the entire HDD is wiped. Kaspersky states this also makes it pretty much impossible to detect the malware.
The security company also mentions that the Equation Group has a very professional way of doing their job, e.g. by activating the malware in stages. In certain cases the malware is first installed to reveal the identity of a victim. The malware activates the next stage once an interesting victim has been found.
The group reportedly also used many different ways of distributing the malware, including intercepting physical storage media and replacing it by infected devices.
According to Kaspersky the company has detected the malware on systems in 30 different countries. A minimum of 500 victims has been found, but higher numbers are very likely. Because the malware has a selfdestruct mechanism detection is impossible after a while.
Although the malware of the Equation Group hasn't been directly linked to the American secret service, Kaspersky claims to have several important indications that the NSA is behind it. In the discovered collection of malware there's a keylogger called Grok which is reportedly developed by the NSA. Several applications in the collection also have strong resemblances with other malware connected to the NSA.
However the malware of the Equation Group is more complex and the group has more resources available, according to Kaspersky.
