Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.
Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.
The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.
There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.
(Updated 18/2/15 to remove an OpenDNS sinkhole and add 220.127.116.11)
FLAG Telecom / Reliance Globalcom18.104.22.168/28
Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:
Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:
Global Telecom & Technology Americas Inc. / Cogent / PSInet22.214.171.124/26
This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:
Colombia: Alfan Empaques Flexibles S.A. / Columbus Networks / IFX Networks / Terremark126.96.36.199/28
The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:
Czech Republic: Master Internet / IT-PRO / 4D Praha188.8.131.52/28
A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:
Spain: Terremark / GTT Global Telecom184.108.40.206/27
Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:
Netherlands: Tripartz-Atrato / IX Reach / Claranet / FiberRing220.127.116.11/27
In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.
Malaysia: Piradius NET18.104.22.168/29
Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.
Other ranges and hosts
- RACSA in Costa Rica hosts customerscreensavers.com and xlivehost.com on 22.214.171.124/29.
- EasySpeed in Denmark hosts quik-serv.com and goldadpremium.com on 126.96.36.199/30.
- Cyber Cast International in Panama hosts havakhosh.com and toofanshadid.com on 188.8.131.52.
- EM Technologies in Panama hosts technicupdate.com and rapidlyserv.com on 184.108.40.206/26.
- INET in Thailand hosts globalnetworkanalys.com on 220.127.116.11 with an apparently hardcoded IP of 18.104.22.168 in use as well.
- American Internet Services hosts suddenplot.com on 22.214.171.124.
- GoDaddy hosts serv-load.com and wangluoruanjian.com on 126.96.36.199.
- Quadranet / GZ Systems hosts fliteilex.com plus some other questionable domains on 188.8.131.52/29.
- Vegas Linkup LLC hosts standardsandpraiserepurpose.com on 184.108.40.206.
- Vox Telecom in South Africa hosts mysaltychocolateballs.com on 220.127.116.11 having previously hosted forboringbusinesses.com.
I recommend that you look at the data before you do drastic things with these IP ranges.
Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..