Equation Group

Threat Actor updated 23 days ago (2024-11-29T14:07:16.449Z)
Download STIX
Preview STIX
The Equation Group is a threat actor, believed to have ties to the United States, that has been involved in numerous cyber espionage operations. The group's favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that was leaked by another group known as Shadow Brokers. Notably, the Equation Group developed an exploit named EpMe for this vulnerability as early as 2013, before it was publicly identified and labeled as CVE-2017-0005. Additionally, the group utilized another exploit, EpMo, which has not been discussed previously. In 2022, the China-linked cyber espionage group APT31 (also known as Zirconium, Judgment Panda, and Red Keres) made headlines when it was discovered that they had used a tool called Jian, a clone of the Equation Group's EpMe hacking tool. Interestingly, APT31 used this tool years before it was leaked online by Shadow Brokers. This event led to the misattribution of the CVE-2017-0005 vulnerability to APT31, rather than the Equation Group, who were its original creators. Equation Group's tools have been found in systems affected by various cyber attacks, including the WannaRen variant. Although the correlation between the new WannaRen variant and the use of the Shadow Brokers' toolkit (the leaked Equation Group tools) has not been fully verified, many of the systems affected by WannaRen contained these hacking tools. Furthermore, it has been observed that a single individual could leverage these publicly-known resources to cause damage equivalent to a nation-state attack. For instance, one custom hacking tool combined four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable.
Description last updated: 2024-09-12T00:16:10.522Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Shadow Brokers is a possible alias for Equation Group. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National Se
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Apt
Windows
Exploits
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT31 Threat Actor is associated with Equation Group. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis byUnspecified
2
The jian Threat Actor is associated with Equation Group. Jian is a threat actor that has been linked to several significant cybersecurity incidents. One of its most notable activities was the use of a tool named Jian, a clone of the NSA Equation Group's "EpMe" hacking tool, which it reportedly used years before it was leaked online by Shadow Brokers hackeUnspecified
2
The ZIRCONIUM Threat Actor is associated with Equation Group. Zirconium, also known as APT31, Judgment Panda, and Red Keres, is a threat actor linked to numerous cyber espionage operations. The group came into the spotlight in 2022 when the Check Point Research team discovered that it had used a tool called "Jian," a clone of the NSA Equation Group's hacking tUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalblue Vulnerability is associated with Equation Group. EternalBlue is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Server Message Block (SMB) protocol. This vulnerability, officially known as CVE-2017-0144, allows for the execution of arbitrary code on affected systems. It became publicly known after a groUnspecified
3
The Epme Vulnerability is associated with Equation Group. EpMe is a software vulnerability (CVE-2017-0005) that was first discovered within the Equation Group's exploit arsenal, with its existence traced back to at least 2013. The Equation Group, believed to be linked to the NSA, developed this exploit as part of their cyber toolset which also included DanUnspecified
2
Source Document References
Information about the Equation Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
3 months ago
Securityaffairs
9 months ago
CERT-EU
10 months ago
CERT-EU
2 years ago
Krypos Logic
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago