Home/Threat Actor/Equation Group
Threat Actor

Equation Group

equation_group · united_states · active since 2001

The Equation Group (canonical Kaspersky GReAT naming per February 16-17, 2015 "Equation: The Death Star of Malware Galaxy" Securelist disclosure and accompanying technical PDF; China-side naming APT-C-40.

widely suspected attribution to United States NSA Tailored Access Operations / TAO unit) is one of the longest-running and most operationally sophisticated state-aligned offensive cyber operations clusters in publicly-tracked cybersecurity industry analysis with earliest tracked activity dating to at least 2001 (possibly 1996), Kaspersky characterizes as "probably one of the most sophisticated cyber attack groups in the world," operating "alongside the creators of Stuxnet and Flame"; NSA TAO attribution supported by Stuxnet/Flame operational interaction (FANNY worm contains Stuxnet privLib LNK exploit), F-Secure correlation between HDD firmware tradecraft and NSA ANT catalog "IRATEMONK" program (Der Spiegel 2013), The Shadow Brokers August 2016 - June 2017 public tool disclosures explicitly attributing tools to Equation Group / NSA TAO, WikiLeaks 2017 CIA Vault 7 internal Equation Group identification discussion, and operational target patterns (Iran, Russia, Pakistan, Afghanistan, India, Syria, Mali) consistent with US Government strategic foreign-intelligence priorities.

most operationally distinctive signature tradecraft is hard drive firmware reprogramming across Seagate, Western Digital, Hitachi, Samsung, Toshiba brands enabling persistence surviving disk formatting and OS reinstallation.

signature tooling includes EQUATIONLASER (2001-2004), EQUATIONDRUG modular platform (2003-2013), GRAYFISH registry-resident bootkit (2013+, most sophisticated implant), DOUBLEFANTASY validator, FANNY air-gap-bridging worm (USB-based C2 bridging air-gapped networks), FuzzBunch exploitation framework + DanderSpritz post-exploitation framework (publicly leaked by Shadow Brokers April 14, 2017 "Lost in Translation" leak)

signature physical interdiction tradecraft documented including Houston scientific conference CD-ROM interdiction with DOUBLEFANTASY payload; Kaspersky documented 500 confirmed infections in 42 countries by 2015 but assessed "actual number could be in the tens of thousands due to self-terminating protocol"; Shadow Brokers downstream proliferation directly enabled WannaCry / NotPetya / Bad Rabbit catastrophic operations (curated separately as shadow_brokers.yaml)

China pre- leak access discoveries include APT31 Jian = EpMe replica (Check Point February 2021) and Buckeye pre-leak NSA exploit access via captured network traffic reverse- engineering (Symantec May 2019)

fills historical Tier-4 US-NSA-TAO-attributed foundational cluster cell in the curated corpus.

united_states confidence: high 15 aliases MITRE ATT&CK G0020 ↗
Sigma rules203 YARA rules101 Live IOCs0 CVEs exploited7

Profile

The Equation Group (canonical Kaspersky GReAT naming per February 2015 disclosure.

China-side naming APT-C-40.

widely suspected attribution to United States NSA Tailored Access Operations / TAO unit, part of NSA Computer Network Operations / CNO directorate) is one of the longest-running and most operationally sophisticated state-aligned offensive cyber operations clusters in publicly-tracked cybersecurity industry analysis, with earliest tracked activity dating to at least 2001 (possibly 1996). Kaspersky GReAT characterizes Equation Group as "probably one of the most sophisticated cyber attack groups in the world" and "one of the most sophisticated advanced persistent threats in the world," operating "alongside the creators of Stuxnet and Flame." The NSA TAO attribution is operationally supported by multiple convergent evidence streams: (a) Stuxnet/Flame operational interaction including FANNY worm containing Stuxnet "privLib".

(b) F-Secure correlation between Equation Group HDD firmware tradecraft and NSA ANT catalog "IRATEMONK" program (Der Spiegel 2013)

(c) The Shadow Brokers (curated separately as shadow_brokers.

yaml in this corpus) public tool disclosures August 2016
  • June 2017 explicitly attributing leaked tools to Equation Group / NSA TAO; (d) WikiLeaks 2017 CIA Vault 7 internal discussion on Equation Group identification; (e) operational target patterns consistent with US Government strategic foreign- intelligence collection priorities. No formal US Government acknowledgment has been issued. Operational phases of the cluster's longitudinal history: (1) EARLIEST OPERATIONAL ERA (2001-2008). EQUATIONLASER deployed 2001-2004 (compatible with Windows 95/98/ME). Kaspersky suspects cluster operations since approximately 1996 based on FANNY compile time analysis. (2) FANNY AIR-GAP WORM DEPLOYMENT (2008+). Operationally distinctive air-gap-bridging worm targeting air-gapped networks via USB C2 mechanism. Contains Stuxnet "privLib" with LNK exploit subsequently observed in Stuxnet 2010. (3) EQUATIONDRUG MODULAR PLATFORM ERA (2003-2013). Complex modular plugin-based attack platform. Two-stage deployment pattern: DOUBLEFANTASY validator.
  • EQUATIONDRUG for confirmed targets. (4) GRAYFISH REGISTRY-RESIDENT BOOTKIT ERA (2013+). Most sophisticated implant, "resides completely in the registry, relying on a bootkit to gain execution at OS startup." Replaced EQUATIONDRUG. (5) KASPERSKY CANONICAL DISCLOSURE (February 16-17, 2015). Securelist "Equation: The Death Star of Malware Galaxy" and accompanying technical PDF. 500 confirmed infections in 42 countries documented through 2015. (6) THE SHADOW BROKERS PUBLIC TOOL LEAK DISCLOSURES (August 2016.
  • June 2017). EternalBlue + DoublePulsar + EternalRomance + FuzzBunch + DanderSpritz publicly disclosed. Downstream catastrophic ransomware/destructive- cyber proliferation (WannaCry May 2017, NotPetya June 2017, Bad Rabbit October 2017). (7) CHINA PRE-LEAK ACCESS DISCOVERIES (Feb 2021 + May 2019). APT31 Jian = EpMe replica; Buckeye pre-leak NSA exploit access via captured network traffic reverse- engineering. (8) CONTINUED OPERATIONS (2015-Present, Limited Public Visibility). Cluster continues operations at state-aligned operational classification with limited public-disclosure visibility.
Signature operational tradecraft
  • Hard drive firmware reprogramming (most operationally distinctive): HDD firmware modification across Seagate, Western Digital, Hitachi, Samsung, Toshiba brands. Persistence survives disk formatting and OS reinstallation. Single recovered sample known as nls_933w.dll. Knowledge of "unique ATA commands used by hard drive vendors" "way beyond public documentation.".
  • GRAYFISH registry-resident bootkit: most sophisticated implant residing completely in the registry with bootkit execution at OS startup.
  • FANNY air-gap-bridging worm: USB-based C2 mechanism for mapping and exfiltrating from air-gapped networks (signature operational capability).
  • Modular plugin-based attack platforms (EQUATIONDRUG + GRAYFISH): dynamically uploaded/unloaded plugins.
  • Two-stage validator-then-upgrade deployment: DOUBLEFANTASY validator confirms target, EQUATIONDRUG / GRAYFISH deployed only for confirmed high-value targets, operationally explains low overall infection count (500 confirmed) versus likely tens of thousands of total operations per Kaspersky assessment.
  • Physical interdiction tradecraft: signature Houston scientific conference CD-ROM interdiction with DOUBLEFANTASY payload. Operationally consistent with NSA TAO ANT catalog physical interdiction programs (Der Spiegel 2013).
  • Extensive encryption/obfuscation tradecraft: cluster name derives from "extensive use of encryption algorithms and other obfuscation techniques.".
  • 0day acquisition capability: multiple 0days subsequently observed in Stuxnet; broad 0day inventory across Windows EoP / kernel exploits / SMB.
  • Self-terminating protocol: implants self-terminate under certain conditions, operationally explains gap between 500 confirmed infections and potential tens of thousands of actual operations.
  • Long-running operational tempo: ~25 years of operational continuity (2001-present, possibly 1996+), one of the longest-running publicly-tracked clusters. The cluster fills the historical Tier-4 US-NSA-TAO-attributed foundational cell in this curated corpus, operationally complementary to The Shadow Brokers (curated separately as shadow_brokers.yaml) which is the LEAK group that publicly disclosed Equation Group tooling 2016-2017. The two clusters are operationally distinct entities: Equation Group is the offensive cyber operations source cluster; Shadow Brokers is the leak group. Together the two clusters form one of the most operationally consequential historical-cluster pairs in modern cybersecurity industry analysis. Operational connections within the curated corpus include downstream pre-leak tool proliferation to APT31 Zirconium (curated separately as apt31_zirconium.yaml, cloned EpMe as Jian) and Buckeye / Emissary Panda (curated separately as emissary_panda.yaml, captured NSA tools from victim network traffic).

Aliases

15
equation groupequation_groupequationgroupequationapt-c-40apt_c_40apt c 40nsa taonsa tailored access operationstaotailored access operationsnsa computer network operationsnsa cnoequation_group_nsaequation apt

Notable Campaigns

10
2016-2017The Shadow Brokers Public Tool Leak Disclosures (August 2016 - June 2017)
2015-PresentContinued Operations (Implied, Post-2015 Public Visibility Limited)
2015Kaspersky GReAT Canonical 'Equation' Disclosure (February 16-17, 2015)
2014-2017China APT31 Pre-Leak Equation Group Tool Access (Discovered February 2021)
2013-PresentGRAYFISH Registry-Resident Bootkit (2013+)
2008FANNY Air-Gap-Bridging Worm Deployment (2008+)
2003-PresentHard Drive Firmware Reprogramming (Most Operationally Distinctive Tradecraft)
2003-2013EQUATIONDRUG Modular Attack Platform (2003-2013)
2001-2015Houston Scientific Conference CD-ROM Interdiction Tradecraft (Documented Pattern)
2001Equation Group Operational Emergence (Active Since at Least 2001, Possibly 1996)

Attribution & Reporting

Attributed by
Kaspersky GReATF-SecureCheck Point ResearchSymantec / Broadcom Threat Hunter TeamThe Equation Group (named cluster) per Kaspersky 2015Microsoft Threat Intelligence CenterMandiantCostin Raiu (Kaspersky GReAT Director)Eyal Itkin + Itay Cohen (Check Point Research)The Shadow Brokers (via leak disclosures)WikiLeaks (CIA Vault 7 disclosure 2017)Der Spiegel (NSA ANT catalog 2013)James BamfordEdward Snowden (via Snowden disclosures 2013+)
Key reporting
reportKaspersky GReAT (Global Research and Analysis Team, Costin Raiu Director): Equation, The Death Star of Malware Galaxy (Securelist, February 16, 2015), canonical Equation Group naming and disclosure
reportKaspersky GReAT: Equation Group, Questions and Answers (technical PDF, February 17, 2015), canonical comprehensive technical disclosure
reportF-Secure: NSA ANT Catalog Equation Group Correlation (IRATEMONK matching analysis)
reportCheck Point Research (Eyal Itkin, Itay Cohen): The Story of Jian, How APT31 Stole and Used an Unknown Equation Group 0-Day (February 22, 2021), canonical China-pre-leak-access disclosure
reportSymantec / Broadcom Threat Hunter Team: Buckeye, Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak (May 2019)
reportThe Shadow Brokers: Equation Group Tool Public Disclosures (August 2016 - June 2017), operationally consequential downstream proliferation
reportWikiLeaks: CIA Vault 7 Internal Discussion on Equation Group Identification (2017)
reportDer Spiegel: NSA ANT Catalog Disclosure (December 2013), IRATEMONK + adjacent TAO programs
reportJames Bamford: NSA TAO Operational Context (multiple publications)
reportEdward Snowden NSA Disclosures (2013+): Operational context for TAO/CNO mission
reportMicrosoft Threat Intelligence Center: MS17-010 SMB Patch Coordination (March 14, 2017, one month before Shadow Brokers Lost in Translation leak)
reportMandiant: Equation Group / NSA TAO Operational Context Analysis
reportMITRE ATT&CK Group G0020, Equation Group
reportMalpedia Actor Profile: Equation Group

Operational

State sponsor

United States Government, widely suspected to be the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA), part of the NSA's Computer Network Operations (CNO) directorate. The TAO unit was reportedly active under that name since at least 1998 and was renamed to NSA Computer Network Operations (CNO) in subsequent organizational restructuring. The Equation Group attribution to NSA TAO is operationally consistent with multiple operationally distinctive evidence streams: (a) Stuxnet/Flame operational interaction: Kaspersky's Global Research and Analysis Team (GReAT) discovered that "the Equation group interacted with other powerful groups, such as the Stuxnet and Flame groups", operationally consistent with NSA's documented involvement in Stuxnet (jointly developed with Israeli Unit 8200 per multiple sources, deployed against Iran's Natanz uranium enrichment facility) and Flame.

Kaspersky's analysis found that Fanny (an Equation Group worm) contained Stuxnet's "privLib", specifically the LNK exploit subsequently observed in Stuxnet 2010. Kaspersky stated they suspect Equation Group "has been around longer than Stuxnet, based on the recorded compile time of Fanny." (b) NSA ANT catalog operational correlation: F-Secure assessed Equation Group's malicious hard drive firmware as matching the TAO program "IRATEMONK", one of the items from the NSA ANT catalog exposed in a 2013 Der Spiegel article. IRATEMONK provides the attacker with the ability to maintain persistence across hard drive reformat operations via firmware-level implant, operationally identical to Equation Group's signature HDD firmware reprogramming capabilities.

(c) The Shadow Brokers leak operational disclosure: The Shadow Brokers (curated separately as shadow_brokers.yaml in this corpus) publicly disclosed Equation Group tooling beginning August 13, 2016, explicitly attributing the leaked tools to the Equation Group / NSA TAO. Subsequent operational analysis of the leaked tools (FuzzBunch exploitation framework, DanderSpritz post- exploitation framework, EternalBlue/Romance/Synergy/Champion SMB exploits, DoublePulsar kernel SMB backdoor) operationally confirmed Equation-Group-to-NSA-TAO attribution. (d) WikiLeaks CIA Vault 7 disclosure (2017): WikiLeaks published an internal CIA discussion about how it had been possible for Kaspersky to identify the Equation Group, operationally confirming US intelligence community awareness of and concern about the Kaspersky identification.

(e) Operational target patterns: Kaspersky documented Equation Group targeting as primarily Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali, operationally consistent with US Government strategic priorities for foreign-intelligence collection from these adversary nation- states. Kaspersky documented 500 confirmed malware infections in 42 countries by 2015, though acknowledged "the actual number could be in the tens of thousands due to its self-terminating protocol." No formal US Government acknowledgment of Equation Group identity has been publicly issued. The attribution to NSA TAO operates at "widely suspected" / "operationally consistent" assessment levels by major cyber-security industry analysts (Kaspersky GReAT, F-Secure, Symantec, Check Point Research, and others).

The cluster is one of the longest-running publicly-tracked state-aligned offensive cyber operations clusters, Kaspersky's analysis dates earliest tracked activity to at least 2001 with possible activity from approximately 1996. The cluster is also operationally the most operationally sophisticated state-aligned cluster in cybersecurity industry consensus, Kaspersky described Equation Group as "one of the most sophisticated advanced persistent threats in the world" and "the most advanced (...) we have seen, operating alongside the creators of Stuxnet and Flame.".

Motivations
state_aligned_intelligence_collection, us_government_strategic_foreign_intelligence_collection, adversary_nation_state_intelligence_collection, critical_infrastructure_intelligence_collection, computer_network_operations_cno_mission_objectives, long_term_persistent_access_to_high_value_targets
Sectors
government_administrationmilitaryforeign_affairs_ministriesdefense_ministriesnuclear_research_facilitiescritical_infrastructuretelecommunicationsenergy_sectorfinancial_servicesacademic_and_research_institutionstechnology_industryislamic_scholarsjihadist_organizationsoil_and_gas_industryaerospace_and_defense_industries
Regions
iranrussiapakistanafghanistanindiasyriamalichinalibyayemensomaliamiddle_east_broadlycentral_asia_broadlyglobal_adversary_targets_broadly

Techniques Used

60
T1003T1003.001T1005T1010T1012T1016T1018T1020T1021T1021.001T1021.002T1021.004T1021.006T1025T1027T1027.001T1027.002T1027.005T1027.013T1029T1033T1036T1036.005T1039T1041T1048T1052T1052.001T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1068T1069T1070T1070.004T1071T1071.001T1074T1074.001T1078T1080T1082T1083T1087T1090T1090.001T1090.003T1090.004T1091T1095T1098T1106T1112T1119T1129

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)53/60 · 88%
Analytics (MITRE CAR)29/60 · 48%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
SF IMPLANTSKYHOOKCHOWSTEALTHFIGHTERSTRAITACIDSTRAITSHOOTER

CVEs Exploited

7
CVECVE-2010-2568
CVECVE-2010-2729
CVECVE-2017-0005
CVECVE-2017-0144
CVECVE-2017-0145
CVECVE-2017-0146
CVECVE-2017-0147
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin