An investigation into an apparent cryptocurrency miner revealed a highly sophisticated, yearslong spying framework with similarities to malware associated with the National Security Agency, researchers with Kaspersky said Thursday.
The report from Russia’s leading cybersecurity firm provides rare technical details about a hacking operation that builds on code historically associated with U.S. operations. While Western cybersecurity firms regularly publish reports on hacking operations backed by states such as Russia, Iran and China, detailed technical examinations of Western cyber operations are far more difficult to come by.
Thursday’s report describes a framework dubbed StripedFly, which is capable of taking screenshots, retrieving system version information, stealing website login usernames, passwords and other autofill data, accessing Wi-Fi network information (including passwords), recording microphone audio and identifying and exfiltrating sensitive files. StripedFly relies on a custom EternalBlue exploit — a piece of NSA malware that leaked online in 2016 — to infect victims.
The use of EternalBlue — which has been abused by other, non-American hacking groups in the past — raises questions about whether the malware in fact stems from a U.S. hacking operation. But the sophisticated nature of other components of the malware discovered by Kaspersky points toward a sophisticated actor.
The framework also included a functional Monero cryptocurrency mining module, a custom ransomware variant called ThunderCrypt and a custom Tor client, which the framework used to securely communicate with a hidden command and control server. Data associated with the framework’s update mechanism suggest that the framework has infected more than 1 million targets, according to the research.
On its face, the malware might be dismissed as a run-of-the-mill cryptocurrency miner. But the addition of espionage and secure communications capabilities “seems to defy the norm,” Kaspersky’s researchers note. Though it’s an open question who is behind the operation, it’s “difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary.”
Tor, or “The Onion Router,” obfuscates web traffic and provides users a measure of anonymity. It’s widely used for legitimate privacy preserving reasons, as well as illicit criminal purposes. The fact that the framework developers created a custom Tor client — “a unique and time-consuming project” that “underscores the sophistication of this malware” — is remarkable, the researchers said.
The researchers write that the framework’s “functional complexity and elegance remind us of the elegant code” implemented by the hacking crew known as Equation Group, an operation Kaspersky revealed in 2015 that’s been linked to the NSA.
Nonetheless, a Kaspersky spokesperson told CyberScoop that “it is not possible to make an attribution to the Equation group based on acquired technical findings” and that the developers of malware sometimes include “false flags in order to point investigators in the wrong direction.”
In August 2016, a group calling itself the “Shadow Brokers” began posting what it said was stolen NSA malware, including the EternalBlue exploit used in customized form in StripedFly. Since being leaked, EternalBlue has been abused as part of a variety of consequential criminal and state-aligned hacking operations.
The research released Thursday revealed that the earliest version of StripedFly was created prior to April 2016, at least four months before the Shadow Brokers leaks began, and a full year before the Shadow Brokers posted the leak containing the EternalBlue exploit. But Chinese hackers had also been using the EternalBlue exploit prior to the Shadow Brokers leak, cybersecurity journalist Kim Zetter reported Thursday, along with at least one other NSA tool called DoublePulsar.
The coding style and practices also resemble those seen in SBZ malware, the researchers said, referring to another piece of cyberespionage malware that has been linked to the Equation Group.
“Taken together, these various data points suggest the similarities to Equation malware, although there is no direct evidence that they are related,” the researchers wrote.
The NSA declined to comment.
Updated, Oct. 26, 2023: This story has been updated to note that the NSA declined to comment.