Two days after researchers exposed a National Security Agency-tied hacking group that operated in secret for more than a decade, CIA hackers convened an online discussion aimed at preventing the same kind of unwelcome attention. The thread, according to a document WikiLeaks published Tuesday, was titled “What did Equation do wrong, and how can we avoid doing the same?”
Equation Group is the name Kaspersky Lab researchers gave to the hacking unit that was responsible for a string of hacks so sophisticated and audacious they were unlike almost any the world had seen before. For 14 years, and possibly longer, the hackers monitored computers in at least 42 countries, sometimes by exploiting the same Microsoft Windows vulnerabilities that would later be exploited by the Stuxnet worm that targeted Iran’s nuclear program. The backdoors hid inside hard drive firmware and in virtual file systems, among other dark places, and had their own self-destruct mechanism, making it impossible for outsiders to grasp the true scope of the group’s hacks.
Equation Group eventually came to light because of a handful of errors its members made over the years. One was the widespread use of a distinctive encryption function that used the RC5 cipher with negative programing constants rather than with the positive constants favored by most developers. The nonstandard practice made it easier to identify Equation Group tools. Another mistake: failing to scrub variable names, developer account names, and similar fingerprints left in various pieces of Equation Group malware. A third error was the failure to renew some of the domain name registrations Equation Group-infected computers reported to. When Kaspersky Lab obtained the addresses, the researchers were shocked to find some machines infected by a malware platform abandoned more than 10 years earlier were still connecting to it.