xorl %eax, %eax

Why the Equation Group (EQGRP) is NOT the NSA

leave a comment »

I had covered this topic in my 2021 talk “In nation-state actor’s shoes” but after my recent blog post I saw again people referring to the EQGRP as the NSA which is not entirely correct. EQGRP is actually a combination of cyber operators (mostly) from the NSA’s TAO and the CIA’s IOC. So, a more accurate statement would be that the EQGRP is the US intelligence community. Here’s why…

WikiLeaks did the Vault 7 leak in 2017. Over the years this was confirmed to be a real/valid leak, and it provides unprecedented access not only on the CIA tools themselves, but also the culture and work environment inside CIA’s cyber component. This is the core source of this blog post.

Brief History of CIA IOC

After the 9/11 terrorist attacks, the CIA took the lead in the counter-terrorism efforts of the US, gaining access to almost unlimited budget, support, and resources to achieve its mission. That also meant that CIA could now expand their domain beyond their area of expertise, Human Intelligence (HUMINT), to other intelligence (and covert action) disciplines, including Signals Intelligence (SIGINT). In other words, develop their own cyber capabilities.

In 2015 the CIA publicly announced a new directorate responsible for improving the Agency’s digital capabilities. This reportedly started from a 2013 initiative by CIA Director Brennan. It was named the Directorate of Digital Innovation (DDI), headed by a Chief Information Officer (CIO), and covering all sorts of topics like modernisation of digital platforms, digitisation of manual processes, developing software for CIA’s needs, etc. Unsurprisingly, CIA’s DDI was relying extensively on the US intelligence community’s experts to develop those capabilities and by far the most mature US agency for cyber operations/SIGINT is the Department of Defense’s National Security Agency (NSA).

Inside DDI, CIA created the Center for Cyber Intelligence (CCI) which was responsible for intelligence support from the cyber domain. As per the Vault 7 leak this is where the “hacking division” (as WikiLeaks called it) fell under in 2016, when it had over 5000 registered users responsible for developing, maintaining, enhancing and using cyber capabilities to support CIA’s mission. Based on the Vault 7, this was the Information Operations Center (IOC). IOC was the cyber operators of CIA’s CCI. Meaning they were using the capabilities provided by other departments of CCI to support CIA’s intelligence operations from the cyber space.

Based on the leaks we can be certain that CCI was operational (maybe under a different org. structure) years before that 2015 public announcement for DDI, at least since 2008-2009.

The CIA EDG and TAC

One of the largest departments within the CCI was the EDG (Engineering Development Group), responsible for multiple divisions of engineering branches that were developing and maintaining different cyber capabilities for the IOC operators, the wider US intelligence community, and close allies. For instance, the Applied Engineering Division (AED) that had the Embedded Development Branch (EDB), Remote Development Branch (RDB), Operational Support Branch (OSB), etc.

A senior group of EDG employees were members of the EDG’s Technical Advisory Council (TAC) which, as its name implies, was there to review different technical challenges and provide input and expert recommendations.

The TAC Discussion on EQGRP

After Kaspersky’s “Inside the EquationDrug Espionage Platform” was published, the TAC started a discussion to identify the mistakes that led Kaspersky GReAT researchers uncovering a vast amount of US cyber capabilities, and associating them all under the EQUATION GROUP (EQGRP) alias. Here you can read the full thread on WikiLeaks.

From this discussion alone, we can see that:

  • EQGRP was actually a collection of capabilities by mostly NSA’s Tailored Access Operations (TAO) and CIA’s IOC
  • In some cases parts of the same implant were co-authored by CIA and NSA
  • CIA IOC and NSA TAO had different processes (or lack of them) for (re-)using cyber capabilities

And many lessons learned to avoid this compromise of their capabilities in the future. In general, I highly recommend you reading this thread since it’s a nice retrospective giving a glimpse into a nation-state actor’s reactions when a high-quality threat intelligence report is released.

Conclusion

News, and even some cyber threat intelligence analysts, repeating the narrative of EQGRP being the NSA is almost certainly wrong. Unless that Vault 7 was a deception operation (unlikely after all the past years’ research on it), we can conclude that the above discussion by TAC makes it very clear that EQGRP was a collection of cyber capabilities used by the cyber operators of the United States, mostly by NSA’s TAO and CIA’s IOC.

I know it’s not as sexy saying that the US was behind it compared to NSA TAO was behind it; and indeed, we can make some assumptions that exploits from the early 2000s were most likely from NSA TAO since CIA either didn’t had that capability yet, or it was still in its early development stages, heavily relying on NSA’s support, or use other means to decouple EQGRP into smaller actors for the CIA, the NSA, and others. However, EQGRP as it’s known today, it’s almost certainly not the NSA alone.

Lastly, any time you talk about nation-state attribution don’t forget that it’s called the “intelligence community” for a reason. Agencies in an IC share capabilities. Some (like within the same country) would be sharing almost everything, others (like the FIVE EYES) are sharing a lot, and others (like the MAXIMATOR) share more specific capabilities and products. And also remember that (that’s an excerpt from my 2021 talk):

  1. Nation-state actors are just people doing a job with specific objectives and performance goals
  2. It’s hard (usually) to know the intention. This is why geopolitical monitoring matters
  3. Infrastructure of an APT doesn’t mean the same APT executed the operation or that they were interested in you
  4. APT groups do most of their collection in bulk/automated fashion yet almost all research focuses on tailored/targeted access
  5. Attribution is hard… Think critically before you publish

Written by xorl

July 6, 2022 at 18:50

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: