Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. [1]

ID: G0020
Version: 1.2
Created: 31 May 2017
Last Modified: 29 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1480 .001 Execution Guardrails: Environmental Keying

Equation has been observed utilizing environmental keying in payload delivery.[2][1]

Enterprise T1564 .005 Hide Artifacts: Hidden File System

Equation has used an encrypted virtual file system stored in the Windows Registry.[1]

Enterprise T1120 Peripheral Device Discovery

Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.[1]

Enterprise T1542 .002 Pre-OS Boot: Component Firmware

Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.[1]