Threat Actor Profile
High
APT
Description
Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)
Confidence Score
Known Aliases
Equation
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (4)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Equation'],
'created': '2017-05-31T21:31:54.697Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Equation](https://attack.mitre.org/groups/G0020) is a '
'sophisticated threat group that employs multiple remote '
'access tools. The group is known to use zero-day exploits and '
'has developed the capability to overwrite the firmware of '
'hard disk drives. (Citation: Kaspersky Equation QA)',
'external_references': [{'external_id': 'G0020',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0020'},
{'description': '(Citation: Kaspersky Equation QA)',
'source_name': 'Equation'},
{'description': "Kaspersky Lab's Global Research and "
'Analysis Team. (2015, February). '
'Equation Group: Questions and '
'Answers. Retrieved December 21, '
'2015.',
'source_name': 'Kaspersky Equation QA',
'url': 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf'}],
'id': 'intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9',
'modified': '2025-04-25T14:48:45.400Z',
'name': 'Equation',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.2'}