The Ghost: Equation Group

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 0

USA (NSA-linked)

G0020

★★★★★

risk 5/5

✦ The Ghost ✦

Equation Group

EQGRP · Tilded Team

IranRussiaChinaMiddle East telecomsNuclear facilities

Active since ~2001 · Intelligence collection, Cyber espionage, Capability pre-positioning

It was here before you named it. Its implants survive reformats, live in firmware, and wake on command from the void. The intelligence community does not confirm its existence. Neither does it deny.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1542.001

System Firmware

Persistence

T1014

Rootkit

Defense Evasion

T1078

Valid Accounts

Persistence

T1119

Automated Collection

Collection

T1068

Exploitation for Privilege Escalation

Privilege Escalation

Notable Operations

◆Stuxnet (joint with Unit 8200, 2010)
◆Flame malware (2012)
◆DoubleFantasy / GrayFish implants
◆HDD firmware persistence (2015)

Defenses

▸
Supply chain verification for hardware firmware
NIST CSF: ID.SC ↗
▸
Network segmentation for sensitive systems
CIS Control 12 ↗
▸
Threat intelligence program tracking nation-state TTPs
NIST CSF: DE.AE ↗
▸
Air-gapping critical infrastructure
ICS-CERT guidance ↗

Reversed: Their Weakness

When The Ghost stumbles, it leaves traces in registry keys and firewall logs - the telltale signatures that gave Kaspersky researchers their finest decade.

Share this adversary profile

← → arrow keys to browse

swipe to browse

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.