A cyber espionage platform dubbed EquationDrug, linked to the allegedly NSA-sponsored Equation group, has been discovered by researchers at Kaspersky Lab.
Kaspersky's Great team reported that the platform has been used in targeted attacks since at least 2003 and features an atypical, modular composition.
"EquationDrug, which is still in use, dates back to 2003, although the more modern GrayFish platform is being pushed to new victims," said the research paper.
"It's important to note that EquationDrug is not just a trojan, but a full espionage platform which includes a framework for conducting cyber espionage activities by deploying specific modules on the machines of selected victims.
"The EquationDrug platform can be extended through plug-ins (or modules). It is pre-built with a default set of plug-ins supporting a number of basic cyber espionage functions."
The researchers said that the core platform is complex and shares characteristics with fully developed operating systems.
"The architecture of the whole framework resembles a mini-operating system," explained the researchers.
"The platform includes a set of drivers, a platform core (orchestrator) and a number of plug-ins. Every plug-in has a unique ID and version number that defines a set of functions it can provide.
"Similar to popular OS kernel designs, such as on Unix-based systems, some of the essential modules are statically linked to the platform core, while others are loaded on demand."
EquationDrug's attack functions are reportedly added using a series of plug-ins. Kaspersky has found at least 30 attack options embedded in the platform, but suggested that there are likely to be significantly more.
"The plug-ins we discovered probably represent just a fraction of the attackers' potential. Each plug-in is assigned a unique plug-in ID number (WORD), such as 0x8000, 0x8002, 0x8004, 0x8006, etc. All plug-in IDs are even numbers and they all start from byte 0x80," explained the researchers.
"Considering the fact that the developers assigned plug-in IDs incrementally, and assuming that other plug-in IDs were assigned to modules that we have not yet discovered, it's not hard to calculate that 86 modules have yet to be discovered."
The news is troubling as EquationDrug already has an impressive arsenal of attack methods.
These include tools for stealing or re-routing network traffic, reversing DNS resolution (DNS PTR records), hijacking computer management and start/stop processes, loading drivers and libraries, and managing files and directories.
The tools can reportedly gather a wealth of information on victim systems, including OS version, computer name, registered user names, location, time zone, keyboard layout, process list, cached passwords, web browser activity and history and data on attached removable storage drives.
Equation uses several next-generation attack tools to infect victims, which include governments, military bodies, Islamic activists and scholars, as well as telecoms, aerospace, energy, nuclear research, oil and gas, nanotechnology, transport, finance, media and encryption firms.
Rumblings emerged linking Equation to the NSA when researchers spotted a link between the campaign's 'Fanny' attack tool and the notorious Stuxnet and Flame attacks.
Kaspersky discovered Fanny in 2008 when its systems caught the malware targeting two zero-day exploits. These were later uncovered during the discovery of Stuxnet and Flame, which are also believed to be linked to the NSA.
The Kaspersky researchers shied away from directly linking EquationDrug to the NSA, but did report that it has the hallmarks of a state-sponsored campaign.
F-Secure security advisor Sean Sullivan agreed with Kaspersky's findings, but added that the targeted nature of the campaign means it will not affect most businesses.
"Yes, this is nation state tech. [But] it was highly targeted. If there is a threat it will have evolved beyond Equation. However, all evidence indicates that Equation was used in a very targeted fashion against terrorist targets, not general businesses," he said.
Equation is one of many campaigns believed to have links to US defence agencies. Reports earlier in March suggested that the CIA sponsors attack tools designed to crack Apple products.
British Airways blames 'global systems outage' for IT meltdown
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps