[cryptography] Equation Group Multiple Malware Program, NSA Implicated

ianG iang at iang.org
Mon Feb 16 16:26:40 EST 2015

On 16/02/2015 20:39 pm, John Young wrote:
> Kaspersky Q and A for Equation Group multiple malware program, in use early
> as 1996. NSA implicated.
> https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

Once we take the brave step of downloading the pdf, it adds yet another 
indication [0] that the NSA is engaged in undeclared war against all and 
any cryptographic suppliers:

============================page 21
Victims generally fall into the following categories:
  * (usual industrual suspects...)
  * Companies developing cryptographic technologies.

============================page 27
16. What kind of encryption algorithms are used by the EQUATION group?

The Equation group uses the RC5 and RC6 encryption algorithms quite 
extensively throughout their creations. They also use simple XOR, 
substitution tables, RC4 and AES.

RC5 and RC6 are two encryption algorithms designed by Ronald Rivest in 
1994 and 1998. They are very similar to each other, with RC6 introducing 
an additional multiplication in the cypher to make it more resistant. 
Both cyphers use the same key setup mechanism and the same magical 
constants named P and Q.

The RC5/6 implementation from Equation group’s malware is particularly 
interesting and deserves special attention because of its specifics.

(followed by discussion of an optimisation found that also allowed some 
degree of tracking to other APT groups.)



[0] http://financialcryptography.com/mt/archives/001455.html

More information about the cryptography mailing list