G0020: Equation
Analyst context for executives and security teams
Equation matters because the ATT&CK record describes a sophisticated group associated with multiple remote access tools, zero-day exploits, and hard disk drive firmware overwrite capability. For leaders, the practical issue is not a single alert or malware family; it is whether the organization can investigate activity that may sit below normal operating-system visibility and may be constrained to execute only in specific target environments.
Executive priority
Treat this as a high-end intrusion-readiness benchmark. It highlights the need to validate incident response plans, forensic retainers, endpoint visibility, firmware governance, and vulnerability prioritization for scenarios where conventional endpoint logs may be incomplete. Executives should ask whether the organization can produce evidence of device inventory, peripheral/storage visibility, firmware integrity processes, and escalation paths when suspected activity involves persistence or stealth outside normal file and process monitoring.
Technical view
ATT&CK does not provide a detection field for Equation, so SOC and IR teams should use the relationship context to validate coverage around the techniques linked to this group: Peripheral Device Discovery, Environmental Keying, Component Firmware, and Hidden File System. The related techniques apply across Windows, Linux, and macOS, while the group object itself does not specify platforms. Detection engineering should focus on whether endpoint, disk, firmware, and device telemetry can support investigations into unusual peripheral enumeration, execution that depends on environment-specific conditions, suspected component firmware modification, and hidden storage structures.
Likely telemetry
- Endpoint process, command, and script telemetry relevant to discovery activity
- Operating system logs showing device, storage, or peripheral enumeration where available
- Asset and hardware inventory, including disks, peripherals, and component metadata
- Firmware version, update, and integrity evidence for storage and other components where available
- Disk, volume, partition, and file-system metadata useful for identifying hidden or abnormal storage structures
Detection direction
- Because official detection guidance is not provided, start with ATT&CK technique-driven hypotheses rather than group-specific signatures.
- Validate that discovery analytics can distinguish legitimate administrative or inventory activity from unusual peripheral or storage enumeration.
- Assess whether endpoint tools can see enough disk, volume, and firmware-related evidence to support investigations into Hidden File System and Component Firmware behaviors; document blind spots where visibility stops at the operating system.
- Tune detections with local baselines, since hardware inventory, device enumeration, and storage-management activity may be normal for IT operations and security tooling.
- For Environmental Keying, prioritize forensic and sandbox-analysis procedures that account for malware or payload behavior that may not execute outside a specific target environment.
Mitigation priorities
- Maintain accurate asset, peripheral, storage, and firmware inventory so responders know what should exist before investigating anomalies.
- Prioritize disciplined patch and vulnerability management, including emergency processes for high-risk exploit exposure, while recognizing that the ATT&CK record mentions zero-day use without specifying current exploitation.
- Establish firmware update, integrity, and supply-chain governance for components where feasible, especially storage devices and other hardware that may fall outside routine endpoint control coverage.
- Ensure IR playbooks include escalation for suspected firmware or hidden file-system activity, including forensic imaging and specialist analysis rather than relying only on live OS artifacts.
- Harden endpoint monitoring and administrative controls across the Windows, Linux, and macOS environments where the related techniques are relevant.
Analyst notes and limits
The decision value of this object is in readiness for stealthy, high-capability tradecraft rather than in a specific detection rule. The strongest supplied relationship is to techniques involving discovery, execution guardrails, firmware persistence, and hidden storage. Glexia would use this as a validation scenario for managed detection, incident response readiness, firmware governance, and executive risk discussions about visibility below the operating system.
The supplied ATT&CK group object has no official detection text, no specified group platforms or tactics, and limited descriptive detail. The related techniques include platform and tactic context, but local telemetry, asset data, and forensic evidence are required before making any environment-specific exposure, detection, or attribution assessment.
Equation
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1564.005 | Hidden File System Sub-technique | Equation has used an encrypted virtual file system stored in the Windows Registry.CitationKaspersky Equation QA |
| Enterprise | T1120 | Peripheral Device Discovery | Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.CitationKaspersky Equation QA |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | Equation has been observed utilizing environmental keying in payload delivery.CitationKaspersky Gauss WhitepaperCitationKaspersky Equation QA |
| Enterprise | T1542.002 | Component Firmware Sub-technique | Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.CitationKaspersky Equation QA |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 4c3f86a00465… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Equation QA
Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.
Open source URL -
[2]
Equation
(Citation: Kaspersky Equation QA)
-
[3]
mitre-attack G0020Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.