Equation Group
What is Equation Group?
Equation GroupA sophisticated cyber-espionage actor publicly documented by Kaspersky in 2015 and widely attributed to the US NSA, known for firmware implants and Stuxnet-related tooling.
Equation Group is the name Kaspersky Lab gave in February 2015 to a long-running, highly capable threat actor whose tradecraft and tooling overlap heavily with the US National Security Agency. The group is credited with implants such as EquationDrug, GrayFish, Fanny, and DoubleFantasy, plus the ability to reprogram hard-disk firmware on Seagate, Western Digital, Toshiba, and other drives, granting persistence that survives operating-system reinstallation. Their toolset overlaps with Stuxnet (2010) components and exploits such as Fanny.bmp using LNK and USB vectors. Many Equation tools later appeared in the Shadow Brokers leaks of 2016-2017, including EternalBlue (CVE-2017-0144), confirming the group's operational reach and influence on modern offensive tooling.
● Examples
- 01
Hard-disk firmware implants documented by Kaspersky GReAT in February 2015.
- 02
Equation tools appearing in The Shadow Brokers leak of 2016-2017, including EternalBlue.
● Frequently asked questions
What is Equation Group?
A sophisticated cyber-espionage actor publicly documented by Kaspersky in 2015 and widely attributed to the US NSA, known for firmware implants and Stuxnet-related tooling. It belongs to the Malware category of cybersecurity.
What does Equation Group mean?
A sophisticated cyber-espionage actor publicly documented by Kaspersky in 2015 and widely attributed to the US NSA, known for firmware implants and Stuxnet-related tooling.
How does Equation Group work?
Equation Group is the name Kaspersky Lab gave in February 2015 to a long-running, highly capable threat actor whose tradecraft and tooling overlap heavily with the US National Security Agency. The group is credited with implants such as EquationDrug, GrayFish, Fanny, and DoubleFantasy, plus the ability to reprogram hard-disk firmware on Seagate, Western Digital, Toshiba, and other drives, granting persistence that survives operating-system reinstallation. Their toolset overlaps with Stuxnet (2010) components and exploits such as Fanny.bmp using LNK and USB vectors. Many Equation tools later appeared in the Shadow Brokers leaks of 2016-2017, including EternalBlue (CVE-2017-0144), confirming the group's operational reach and influence on modern offensive tooling.
How do you defend against Equation Group?
Defences for Equation Group typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Equation Group?
Common alternative names include: EQGRP, EquationGroup, Tilded team (related).
● Related terms
- ot-iot№ 1111
Stuxnet
A highly sophisticated 2010 worm that sabotaged Iran's uranium-enrichment centrifuges by reprogramming Siemens PLCs, widely attributed to the United States and Israel.
- malware№ 1027
Shadow Brokers Leak
A 2016-2017 series of leaks by a group calling itself 'The Shadow Brokers' that publicly dumped NSA-linked offensive cyber tools, including EternalBlue.
- vulnerabilities№ 389
EternalBlue (CVE-2017-0144)
An NSA-developed exploit for a 2017 Microsoft SMBv1 remote code execution vulnerability, leaked by the Shadow Brokers and used by WannaCry and NotPetya.
- attacks№ 017
Advanced Persistent Threat (APT)
A stealthy, well-resourced threat actor — typically state-sponsored — that gains long-term, undetected access to a target network to steal data or pre-position for disruption.