Group description: Equation

Equation, Group G0020 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Equation Equation Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. [1] ID: G0020 Version : 1.2 Created: 31 May 2017 Last Modified: 25 April 2025 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1480 .001 Execution Guardrails : Environmental Keying Equation has been observed utilizing environmental keying in payload delivery. [2] [1] Enterprise T1564 .005 Hide Artifacts : Hidden File System Equation has used an encrypted virtual file system stored in the Windows Registry. [1] Enterprise T1120 Peripheral Device Discovery Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware. [1] Enterprise T1542 .002 Pre-OS Boot : Component Firmware Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers. [1] References Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015. Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019. × load more results