NSA’s Equation Group:  Lessons about our own APT learned from our targets?

As US cybersecurity professionals, we are well-versed in the tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs) from various countries.  
We have detailed indicators of compromise (IOCs) for groups like APT41 from China and APT28 from Russia. However, when it comes to American APTs, the landscape is far murkier.  

Beyond some recognition of APT “Longhorn” (believed to be linked to the CIA) and the infamous Equation Group (widely attributed to the NSA), there is an eerie silence. Outside of the Shadow Brokers leaks in 2016-2017, which exposed a fraction of Equation Group’s arsenal, technical specifics on their current operations remain elusive. Unlike foreign adversary APTs, which we analyze and dissect in open reports, the United States’ own top-tier cyber operators are ghosts—felt but rarely seen. 
 
The recent article on InverseCos provides a rare glimpse into the operations of the Equation Group, as seen through the lens of Chinese cybersecurity entities.  
This blog aims to dissect these insights and provide a detailed look at the technical specifics mentioned in the article. 
 

Technical Specifics from the Article 

The article highlights several key aspects of the Equation Group’s operations, particularly their alleged attack on China’s Northwestern Polytechnical University in 2022. According to Chinese sources, the attack was executed by the NSA’s Tailored Access Operations (TAO) division, which deployed over 40 unique malware strains for data theft and espionage. 

• Key Points: 

• Attack Vector: The attack reportedly began with a series of phishing emails targeting university staff and employees. 

• Malware Deployment: TAO allegedly used the FoxAcid platform to deploy malware, leveraging IPs purchased through cover companies. 

• Attribution: Chinese cybersecurity firms Qihoo 360 and the National Computer Virus Emergency Response Center (CVERC) identified four IPs linked to the attack, allegedly purchased by an NSA operative using the pseudonym ‘Amanda Ramirez.’ 

Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) 

Indicator	Description
Phishing Emails	Initial attack vector targeting university staff.
FoxAcid Platform	Used for deploying malware.
Cover Companies	‘Jackson Smith Consultants’ and ‘Mueller Diversified Systems’ used to purchase IPs.
IPs Identified	Four IPs linked to the attack: 209.59.36.xx, 69.165.54.xx, 207.195.240.xx, 209.118.143.xx.
Malware Strains	Over 40 unique strains used for data theft and espionage.
FoxAcid Hash	Specific hash details were not disclosed in the article.
Credential Harvesting Tool	DRINKING TEA, which sniffed SSH, Telnet, and Rlogin passwords.

Detailed Analysis of the Attack 

• Attack Times: One of the frameworks used by TAO, named ‘NOPEN,’ requires human operation. Analysis of the incident timeline showed that 98% of all attacks occurred during 9am – 4pm EST (US working hours). There were no cyber-attacks on Saturdays and Sundays, and none during American holidays like Memorial Day, Independence Day, and Christmas. 

• Keyboard Inputs: The attackers used American English, with all devices running English OS and applications. An American keyboard layout was utilized. 

• Human Errors: During the incident, one of the alleged NSA attackers tried to upload and run a Pyscript tool but forgot to modify the parameters. This error exposed the working directory and file name of the attacker’s terminal, revealing they were using a Linux system with a directory named ‘/etc/autoutils.’ 

• Tools Found Prior to Shadow Brokers Leak: The Northwestern Polytechnical University had allegedly suffered multiple breaches over the years. Several pieces of malware uncovered in prior investigations were allegedly the same tools described in the Shadow Brokers leak. 

• Toolkits Related to NSA: 41 different tools and malware samples were identified during the forensic analysis. 16 of these tools were consistent with the TAO weapons exposed by the Shadow Brokers leak, 23 had around 97% similarity, and 2 were not found in the Shadow Brokers leak but were seen used by TAO in other cyber-attacks. 

Inside the Attack: Alleged NSA TTPs 

• Pre-Attack Preparation: The NSA conducted extensive pre-attack preparation, using zero-days to breach systems in neighboring countries to China. They targeted servers with large network traffic, installing NOPEN to establish a foothold. 54 jump servers and 5 proxy servers from 17 countries were used, with 70% of the attacks coming from China’s neighboring countries. 

• Initial Access into the University: The attackers used MiTM and spear-phishing emails targeting university members. They also leveraged the FOXACID platform to automate the delivery of browser exploits. 

• Persistence and Lateral Movement: APT-C-40 focused on long-term persistence and lateral movement, deploying backdoors and credential theft techniques. Tools like SECONDDATE, NOPEN, FLAME SPRAY, CUNNING HERETICS, and STOIC SURGEON were used to maintain control and avoid detection. 

• Lateral Movement Techniques: The attackers targeted edge network devices, using legitimate credentials to access firewall appliances and telecom operators. They hijacked software update mechanisms and used the DRINKING TEA tool to harvest credentials. 

• Data Exfiltration: NSA operatives allegedly stole classified research data, network infrastructure details, and sensitive operational documents. Tools like OPERATION BEHIND ENEMY LINES, School of Magic, Clown Food, and Cursed Fire were used for data exfiltration. 

• Evasion and Anti-Forensic Measures: The NSA employed several anti-forensic techniques, including log manipulation with TOAST BREAD and encrypted communications to ensure traffic to their C2 servers remained undetectable. 

This detailed look into the Equation Group’s operations underscores the sophistication and complexity of their cyber activities. As cybersecurity professionals, understanding these TTPs and IOCs is crucial for enhancing our defensive strategies and staying ahead of potential threats. 

Final Thoughts 

We know an incredible amount about Chinese, Russian, and Iranian APTs, yet very little about how Equation Group operates today. That isn’t an oversight—it’s by design. The NSA’s cyber capabilities remain at the bleeding edge, and their ability to evade detection and attribution is unmatched. 

The biggest takeaway? If the best intelligence we have on Equation Group still comes from the Shadow Brokers leaks, then we’re already years behind. 

While we will continue to track, mitigate, and counter foreign APTs, we should never forget that the most sophisticated cyber operators in the world might just be the ones we hear about the least. 

Sources: 

1. InverseCos Article 

2. Ars Technica Article