The hacking collective, dubbed “Equation Group,” must have been sponsored by a nation-state with vast resources in order to operate, Kaspersky analysts assert.
The strongest evidence connecting the NSA to Equation Group is the string "BACKSNARF_AB25," which was embedded in a sample of the Equation Group cyberespionage platform known as "EquationDrug."
"BACKSNARF," according to page 19 of an undated NSA presentation that was obtained by Ars Technica, was the name of a project tied to the NSA's Tailored Access Operations.
“While the presence of the 'BACKSNARF' artifact isn't conclusive proof it was part of the NSA project by that name, the chances that there were two unrelated projects with nation-state funding seems infinitesimally small,” Dan Gooding of Ars Technica points out.
A new report published Wednesday by Kaspersky notes that timestamps stored inside the Equation Group malware showed that hackers almost exclusively worked Monday through Friday. Assuming they worked from 8 a.m. to 5 p.m., employees likely were working in the eastern part of the US.
It is unlikely the timestamps were intentionally manipulated, the report states, since the years listed in various executable files match the availability of computer platforms the files ran on.
Last month, Kaspersky revealed details about an Equation Group operation the led to some 500 infections in at least 30 countries, including Russia, Iran, Pakistan, Afghanistan, India and Syria. The operation targeted banks, foreign governments, embassies, energy and infrastructure, media, telecommunications sectors and Islamist groups.
While those revelations triggered media reports about the US National Security Agency being behind the espionage, Kaspersky has stopped short of ever saying Equation Group was the handiwork of the NSA.
Another connection is the similarity between Equation Group’s interdiction and that of the NSA, as evidenced in documents leaked by NSA whistleblower Edward Snowden.
According to Gooding, the Equation Group, regardless of what agency it is operating under, is “hands down the world's most advanced hacking operation ever to come to light.”