As security researchers continue to analyze malware used by a sophisticated espionage group dubbed the Equation, more clues surface that point to the U.S. National Security Agency being behind it.
In February, Russian antivirus firm Kaspersky Lab released an extensive report about a group that has carried out cyberespionage operations since at least 2001 and possibly even as far back as 1996. The report detailed the group's attack techniques and malware tools.
The Kaspersky researchers have dubbed the group Equation and said that its capabilities are unrivaled. However, they didn't link the group to the NSA or any other intelligence agency, despite similarities between its tools and those described in secret NSA documents leaked by Edward Snowden.
Kaspersky found code names like SKYHOOKCHOW, DRINKPARSLEY, LUTEUSOBSTOS, STRAITACID, STRAITSHOOTER in the malware used by the Equation group. While these were not a direct match to NSA code names known so far, they bear a striking resemblance to some of them.
The malware platform, which was dubbed EquationDrug, has a modular architecture and resembles a mini operating system, the Kaspersky researchers said. So far 30 of its plug-ins have been found, but the platform might have more than 115 modules, each implementing different functionality.
Statistics based on compilation time stamps found in the EquationDrug samples collected so far suggest that its developers are working almost exclusively from Monday to Friday and are likely located in the UTC-3 or UTC-4 time zones, if we assume that they start work at 8 or 9 am. Time stamps in malware samples are not always reliable, because developers can alter them, but in the case of EquationDrug, the Kaspersky researchers believe they look "very realistic."