Mapping the Equation malware

February 19, 2015

A Russian company has found the equation for another NSA headache.

On Monday, Moscow-based security software manufacturer Kaspersky Lab released a report (PDF) detailing its findings about a piece of malware called Equation, which reaches back to 2001. Kaspersky tied the malware to the Stuxnet program, the National Security Agency-led cyberweapon that was used to attack Iran’s uranium enrichment facility, but did not name the NSA directly. Many analysts, however, have linked it to the U.S. agency.

This Reuters graphic shows the breadth and depth of the infection. According to Reuters’ Joseph Menn:

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan,Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists.

The Equation code resides in the infected computers firmware, an elemental part of a machine’s operation which allows hardware to talk to software. Hard drives from Western Digital, Seagate, Toshiba, IBM, Micron Technology and Samsung were infected, and because firmware is part of a hard drive’s core operation, it is impossible to eradicate the malware without destroying one’s hard drive.

Both the United States and the United Kingdom were found to have infected computers, but WIRED reported on Monday that infections of U.S. and UK computers were limited to Islamic activists and scholars. This will do little to mollify privacy advocates.

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see