State sponsored malware is becoming increasingly sophisticated according to a report released by security vendor, Kaspersky Labs. According to a company statement, this new trend was confirmed during analysis of the EquationDrug cyber-espionage platform, the main espionage platform developed by the Equation Group.
The Equation Group is a highly sophisticated threat actor that has been engaged in multiple computer network exploitation (CNE) operations dating back to 2001. Some analysts estimate the group has been active as early as 1996.
Kaspersky found that the industry’s success in exposing advanced persistent threat (APT) groups has prompted sophisticated threat actors to focus on increasing the number of components in their malicious platforms. This is designed to reduce visibility and enhance stealth.
The firm said the latest platforms now carry many plugin modules that allow the user to select and perform a wide range of different functions, depending on the target and information held. Kaspersky Lab estimates that EquationDrug includes 116 different plugins.
Kaspersky Lab director of global research, Costin Raiu, said that nation state attackers are looking to create more stable, invisible, reliable and universal cyber espionage tools.
“They are focused on creating frameworks for wrapping such code into something that can be customised on live systems and provide a reliable way to store all components and data in encrypted form, inaccessible to regular users.”
“Sophistication of the framework makes this type of actor different from traditional cyber criminals, who prefer to focus on payload and malware capabilities designed for direct financial gains.”
EquationDrug has been in use for more than a decade. It is now largely being replaced by the more sophisticated GrayFish platform.
The tactical trends confirmed by the analysis of EquationDrug were first observed during research into the cyber espionage campaigns Careto and Regin, among others.
Traditional cyber criminals mass distribute emails with malicious attachments or infect websites on a large scale, while nation state actors prefer highly targeted, “surgical strikes”, infecting just a handful of selected users.
Cybercriminals typically reuse publicly available source code such as that of the Zeus or Carberb Trojans. In contrast, nation-state actors build unique, custom malware and implement restrictions that prevent decryption and execution outside of the target computer.
Cybercriminals, in general, attempt to infect as many users as possible. However, they lack the time and storage space to manually check all the machines they infect and to analyse who owns them, what data is stored on them and what software they run.
As a result, they code all-in-one malware stealers that extract only the most valuable data such as passwords and credit card numbers from victims’ machines. This activity could bring them to the attention of security software installed on the target machine.
Nation-state attackers have the resources to store as much data as they want. To escape attention and remain invisible to security software, they try to avoid infecting random users and instead rely on a generic remote system management tool that can copy any information they might need and in any volumes.
This could work against state-sponsored actors because moving a large volume of data could slow down the network connection and arouse suspicion. This is one of the reasons some of theses attacks have been stopped in the past.