Secrets Right In The Open: What The Media Isn’t Explaining About The ‘Equation Group’ Global Spying Revelations

On February 16th, Kaspersky Labs released a widely discussed report indicating a group being called the ‘Equation Group’ was responsible for infecting 500+ computers and servers worldwide with spyware. It is largely believed that the spyware was developed by the National Security Agency (NSA). It has created an international kerfluffle to say the least with some considering it to be a wholesale violation of the Constitution and the end of privacy as we know it.

What isn’t really being discussed is what the dispersal of the spyware tells us about the Obama administration’s intelligence focus nor have I seen any mention of just why it was Kaspersky Labs that released the report (PDF here) rather than any other antivirus lab or company.

First let’s get a look at the spyware’s dispersal.

Now let’s look at the infection disbursal, globally, tier by tier.

High Rate Infections

Note that there are high infection countries and there are medium and low infection countries. Note which are high infection. Russian, China, nearly all of the Middle East, Mali in Africa, India, these are highly infected locations. Most of them are also the locations that U.S. intelligence has the most interest in. Given Russia’s generalized global surliness and their support of the civil war in Ukraine this isn’t surprising. Nor is it surprising that global power China would be on the list. Iran and other Middle Eastern countries hostile to the United States (however you want quantify that) are also represented. These are the locations that you would expect U.S. intelligence services to be focusing on. More concretely, if most these areas were not focused on then the NSA wouldn’t be doing its job.

But what about India being included? This shouldn’t be a mystery given India’s turbulent relationship with Pakistan. The two nuclear armed nations have had a contentious relationship to say the least since Pakistan declared independence from the British Empire in 1947. Any intelligence agency would want to keep track of developments in both countries. If there’s going to be war then the U.S. government would want to know. There’s likely a bit of industrial espionage taking place against India as well. Regardless, it’s not surprising. Just because you have treaties with people doesn’t mean you always trust them. That’s a mainstay of global espionage and every country feels this same way.

When civilians spy on one another it’s breaking the law but when nations spy on each other it’s usually just called being responsible.

Medium Rate Infections

Now let’s take a look at the second tier of the infected. It’s mostly Middle Eastern countries with a few African ones thrown in. Most notable is that the United Kingdom is on the list who are broadly considered to be the number one ally of the United States. Why would they have a medium spyware infection rate? Well let’s get specific. The two sectors that were targeted are the British financial sector and their government sector, not their military sector. The NSA, it seems, isn’t trying to steal military secrets, they’re trying to make sure they have information on what the U.K. plans for their economy given the European Union’s continued economic woes and the fear among some that the EU is failing. In light of those factors, it makes sense that the U.K. would be a target even if such a statement might understandably make Britons angry.

Low Level Infections

The third tier is the broadest, the lowest risk, and includes the United States itself. Kaspersky has determined that two sectors are being targeted by the Equation Group in the U.S., Islamic scholars and “other/unknown.” While it’s impossible to know what “other/unknown” refers to, the Kaspersky report notes that the spyware is promiscuous and “other/unknown” is noted as a sector in every single targeted country. It could mean that this is simple spillover to unintended targets or it could be purposeful without a pattern.

It certainly makes sense that portions of the U.S. Muslim community, specifically some Islamic Scholars, would be targeted for surveillance by the NSA. But since it’s unclear which scholars are being targeted or how many, I think it’s a getting ahead of ourselves to assume wholesale surveillance on U.S. Muslims willy nilly. After all, reports indicating the NSA pretty much downloads the entire internet every day show they’re already casting a pretty broad net. These infections may be more targeted or they may not. Regardless, it’s clearly concerning given past surveillance disasters on the part of the FBI and NSA.

Friendly countries targeted under this tier include Germany, France, South Africa, and Belgium. Germany’s telecommunications sector is the primary target of the attacks there while France’s primary target is “other/unknown.” I’m largely ignorant of anything having to do with South Africa so I have to give a giant shrug where they are concerned.

Who Isn’t Targeted And Why Not?

Just as important as knowing who is targeted is knowing who isn’t. Whether by conscious decision or just because the NSA hasn’t gotten around to it yet, Canada isn’t targeted, Israel and Saudi Arabia aren’t targeted. Spain and the entirety of Eastern Europe aren’t targeted. The Nordic countries aren’t targeted. Australia, bobbing alone out in the Pacific is completely untouched.

For whatever reason, whether it’s because surveillance is being conducted by other means, the digital realm isn’t immediately penetrable as a result of existing countermeasures, or simply because the NSA doesn’t care what’s going on these locations, they’ve been left alone.

Also possible is that these countries are receiving intelligence from the NSA based on this spyware infection. Certainly, that was the case with Europe and the PRISM program revealed by Edward Snowden. France and Germany had their own telecom collection systems like PRISM. It’s no coincidence that they and the U.S. came up with them around the same time period.

The lack of targeting in these areas does not mean that they are not being targeted by other means, it simply means that they aren’t being targeted with this particular tool. I find that some people take one data point and assume too much out of it. That can be dangerous to understand the larger picture.

Who Owns Kaspersky Labs?

Look at the name and you can probably guess. Kaspersky Labs (Лаборатория Касперского) is a Russian company headquartered in Moscow. The head of Kaspersky Labs is Eugene Kaspersky. He’s also in tight with the former KGB officials that now run Russia, this includes Vladmir Putin. In this way, Kaspersky Labs is a sometime arm of Russian intelligence known as the FSB (Wired.com has you covered here if you’re skeptical). Here’s a documentary that explains how the entirety of Russia’s economy and government is based upon corporations currying favor with the Russian government. You can’t curry favor if you don’t share or, sometimes, do the government’s bidding.

http://www.youtube.com/watch?v=5bP3wGhdjmI

It is for this reason that Kaspersky Labs is the one to release this report. Going public about U.S. covert action hurts the ability of the NSA to gather intelligence and it embarrasses the U.S. government. What’s more, combined with past actions by the NSA, it aligns the U.S. public against their own government and angers our allies. It’s the equivalent of naming and shaming and it’s highly effective.

Which Isn’t To Say You Have Nothing To Worry About

Reports revealing covert action are sometimes concerning but in this case it’s only concerning if U.S. citizens are being targeted by this operation. I fully expect the NSA to target just about every other country in the world in terms of spying. That’s the entire purpose of their existence and thinking negatively about them doing so is simply naive. Countries that can spy, do spy and they should because information is power.

However, the Equation Group report has been largely reported on uncritically and often divorced from context. One look at a few articles reveals a sense of canned panic. Mashable wrote a fairly coherent piece on the phenomenon without even bothering to note where Kaspersky’s allegiances lie.

This New York Times piece mentions Kaspersky’s affiliation with the former KGB but only barely and doesn’t even get into his current affiliations and why they would be the ones to release the report. In doing so, they left their readers without a context and with an information gap that’s frankly unforgivable for an institution wholly dedicated to reporting news.

These relationships need to be explained by publications in order for readers, the public, to understand what these things mean and in order to discern whether they should be anxious or not. In this case, the American media has seemed more interested in scoring points against the NSA than they have making sure Americans know what’s happening and why.

All this isn’t to say that the NSA is to be trusted. Democracies should never trust their governments completely. But neither should anyone trust any entity like Kaspersky Labs simply because they appear to be revealing truth in an allegedly benign way. In this case, the purpose for the revelation is just as important as the revelation itself.