Menu
Browse

Cyber Threat Actor: The Equation Group

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
United States of America
1 incident
Profile

The Equation Group, also known as Longhorn or Lamberts, is a threat actor publicly linked to cyber espionage operations. Public reporting attributes its activities to the United States, with technical evidence and leaked documents associating it with the National Security Agency (NSA). Security researchers identified this group through forensic analysis of the Regin malware platform, which exhibits advanced modular capabilities designed for long-term intelligence gathering. Regin targets sectors including telecommunications, energy, airlines, hospitality, and academic research, with documented infections in Germany and Belgium. Its strategic objective centers on cyber espionage, evidenced by operations against government entities like the German Federal Chancellery and infrastructure operators such as Belgian telecom provider Belgacom.

The group employs highly specialized tooling, including the Regin malware framework described as one of the most sophisticated ever discovered. Regin shares technical overlaps with NSA-associated projects like the QWERTY keylogger and the broader WARRIORPRIDE framework referenced in documents leaked by Edward Snowden. The Equation Group demonstrated capabilities to compromise firmware using zero-day exploits later repurposed in the Stuxnet worm, enabling persistent access to targeted systems. Additional techniques include leveraging web redirects to infect iPhone users. Publicly reported operations include the deployment of Regin against a senior German Chancellery official in 2015, mirroring earlier NSA surveillance of Chancellor Angela Merkel’s communications. The group’s infrastructure and tools have been operationally active since at least 2008, with Kaspersky Lab attributing over 100 infections to Regin. State affiliation is explicitly cited through technical linkages to NSA tools and Snowden disclosures.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source