Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. [1]

ID: G0020
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1109 Component Firmware Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.[1]
Enterprise T1480 Execution Guardrails Equation has been observed utilizing environmental keying in payload delivery.[2][1]
Enterprise T1120 Peripheral Device Discovery Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.[1]