Equation Group

Equation Group is a highly sophisticated, state-sponsored cyber espionage threat actor widely believed to be associated with the U.S. National Security Agency (NSA). Kaspersky uses “Equation Group” as its internal codename for what it believes is the NSA’s hacking team, and multiple cited sources describe the group as suspected or believed to be tied to the NSA. The group has been described as operating one of the most advanced hacking operations observed, with computer network exploitation activity dating back to at least 2001 and possibly as early as 1996. The actor is associated with long-running, modular espionage platforms including EquationDrug, EquationLaser, GrayFish, DoubleFantasy, and Fanny. EquationDrug is described as a major espionage platform used by the group from 2003 onward, with a plugin-based architecture supporting capabilities such as network interception, reverse DNS, process and driver management, file and directory management, WMI collection, cached password theft, browser monitoring, NTFS forensics, removable media monitoring, passive network backdoor functionality, HDD and SSD firmware manipulation, keylogging, clipboard monitoring, and browser history and autofill theft. GrayFish is described as a more modern platform that later replaced EquationDrug for new victims. The group is also linked in the content to offensive tooling exposed through the Shadow Brokers leaks. Multiple sources state that the leaked tools were claimed to have been stolen from Equation Group, and Kaspersky reported with high confidence that the leaked firewall exploits, tools, and scripts were related to Equation Group based on shared RC5/RC6 implementation traits previously seen in Equation malware. Leaked and related tooling referenced in the content includes SECONDDATE, BADDECISION, BLINDDATE, BANANAGLEE, and other files from the Shadow Brokers archive. SECONDDATE is described as a man-in-the-middle browser redirection tool used with FOXACID to redirect targets from legitimate websites to NSA-controlled servers for malware delivery. BADDECISION and BLINDDATE are described as Wi-Fi attack components used to intercept wireless traffic and support man-in-the-middle operations. The content also links Equation Group to fast16/Fast16, a cyber sabotage framework reportedly dating to around 2005 and attributed in the cited reporting to Equation Group. Fast16 is described as targeting high-precision engineering and simulation software including LS-DYNA, AUTODYN, PKPM, and MOHID, using an embedded Lua virtual machine, a kernel-mode filesystem driver, and rule-based in-memory patching to subtly corrupt mathematical and physical simulation results. Reporting cited in the content says this malware may have been intended to sabotage sensitive research, including possible nuclear weapons-related simulations and Iranian nuclear-related targets. Operationally, Equation Group is described as using advanced malware, covert implants, backdoors, firmware manipulation, passive network backdoors, packet sniffers, encrypted virtual file systems, and modular plugin ecosystems. The group’s malware has shown support for stealth, persistence, traffic filtering, audit-log suppression, covert command execution, and victim-specific customization. The content also notes that Equation Group malware and modules were found alongside other nation-state malware on high-value systems in Kaspersky’s “Magnet of Threats” case. Known aliases directly reflected in the content are limited to “Equation Group” and the lowercase form “equation_group.”