G0020 Equation
Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. 1
| Item | Value |
|---|---|
| ID | G0020 |
| Associated Names | |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 29 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.001 | Environmental Keying | Equation has been observed utilizing environmental keying in payload delivery.21 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.005 | Hidden File System | Equation has used an encrypted virtual file system stored in the Windows Registry.1 |
| enterprise | T1120 | Peripheral Device Discovery | Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.1 |
| enterprise | T1542 | Pre-OS Boot | - |
| enterprise | T1542.002 | Component Firmware | Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.1 |