In hindsight it’s hard to believe just how surprised the security industry of 2010 was by Stuxnet, a wormlike cyberweapon used to destabilise the Iranian nuclear programme later widely blamed on the US. In the following two years came news of related but more complex cyber-tools such as Duqu, Gauss and Flame which hinted of a larger cyberwar platform with targets far beyond a single theocratic state.
These tools looked like the bits of the iceberg that security firms had noticed poking out above the waterline, a detection process slowed by their incredible rarity among the cacophony of commercial malware. Unravelling what was going on here was going to take years rather than weeks or months.
With the publication by industry ‘witchfinder general’ Kaspersky Lab of a report on the ‘Equation’ group, for the first time it is becoming possible to assemble these isolated discoveries of recent years into some kind of bigger more meaningful story.
If this is the US cyberweapons programme it appears to be, what is that story about?
Kaspersky Lab is understandably focussed on Equation’s clever use of difficult encryption and ability to infect hard drive firmware seemingly at will, a previously unknown if rarely-used ability that is serious because it would be beyond any contemporary security program to detect. It would also be impressively hard to get rid of, surviving a drive reformat and OS reinstall with ease.
Beyond this, Kaspersky still knows remarkably little about the malware used by the Equation except that its seven modules are part of a larger system that probably includes Flame, Gauss and Stuxnet. That’s still significant because at the time of their discovery, Kaspersky Lab speculated that they were smaller elements of a larger family they have, three years later, finally uncovered.
Equation, then, looks like nothing less than the core of the US cyberweapons programme, the full reveal of what writer David E. Sanger claimed in 2012 was known as ‘Olympic Games’. Kaspersky Lab’s discovery of one component, ‘EquationLaser’ suggests that this actually got off the ground as far back in time as 2001, making it the oldest confirmed state cybertool yet documented in an era when the dominant OS versions were Windows 98 and Windows 2000.
What this underlines is that complex state-created cyberweapons are pretty hard to detect and tend to be discovered years after they were first used. This time lag is important. The world only started to believe that such sophisticated weapons existed as late as 2010, a decade after these programmes started operating. Before that, the few attacks that did make it into the press were misunderstood, ignored or discounted. Stuxnet ended that era of ignorance.
If detection is that far behind, one might reasonably speculate that today’s cyberweapons are probably more potent than anyone realises, invisible guns loaded by a range of big nations to do spy and cause damage in ways we don’t yet comprehend.
Perhaps Kaspersky’s Equation is simply a reminder that even now, five years after Stuxnet’s unmasking, we still don’t know the half of it.