The "Equation Group" is an unofficial name (invented by Kaspersky Lab) for one of the most notable and advanced team of hackers and software (and possibly hardware) developers in the world. While never officially recognized (for rather obvious reasons), there's very strong and credible evidence that the members of this team are employees of (or at a minimum closely working for) the NSA, most likely as part of their Tailored Access Operations department (which actually is officially recognized.)
From what has been discovered of the work of this group, and also inferred from the Snowden leaks, it's extremely likely that the main purpose of this hacker group is to research and discover zero-day exploits in operating systems and all kinds of other software and hardware, and to develop programs and tools to use those exploits to hack into computers (and who knows what other tasks, by using the ability to hack into the computers of foreign governments and other organizations and people.)
As Kaspersky Lab and other researches have found, these are not just some script-kiddies doing this for fun and fame. Code that has been attributed to them tends to be extremely advanced, use very advanced techniques, and often contain zero-day exploits most likely found by the team themselves. From all that's known about them and their code, they are highly skilled and advanced hackers and software developers.
It is known that the NSA stockpiles these "zero-day exploits" that this team (and probably others) find, for their own uses, rather than disclose them to the software and hardware companies (such as Microsoft.)
There have been known cases of such zero-day exploits having been kept secret by the NSA for many years before they were found independently and patched, or discovered via one of their malware having been examined (most famously Stuxnet). Or, at least in a few cases, by having been themselves hacked!
Indeed, one would think that given the top-level competency, skill and professionalism of this team and the NSA in general, they would have some of the highest digital security in the world, making them pretty much impervious to being hacked themselves. Yet, that has turned out several times to not be the case.
Quite famously Edward Snowden leaked a ton of top-secret NSA documents to the public. Curiously, Snowden was not some kind of NSA employee with a very high security clearance who had been working for the agency for decades when he decided to go rogue. No, he was just an external contractor who had been working in that capacity for quite a short amount of time, and with no other affiliation with the NSA. Essentially, he was just an outsider, not a governmental worker, who had been given temporary access as an external contractor for some minor work. Yet, he had full access to top secret documents of the NSA that he could freely copy for himself without any restrictions, and leak to the public.
That was because, at least back then in 2013, the security and safety measures at NSA were astonishingly lax and poor. Even many private companies, even in 2013, had significantly stricter and stronger security measures than the NSA had. Indeed, Snowden had access to all those top-secret documents just because the sysadmins in charge of all the NSA computers were lazy and just granted everybody access to everything because of convenience. As incredible as it might sound, even if you were just a recently-hired external contractor for a minor job for the NSA, you were granted full access to almost everything pretty much without limits. And that's exactly why one of those temporary external contractors, Edward Snowden, got hold of those documents. It is exactly as incredible and crazy as it sounds.
Whether the NSA started implementing more safety measures after the Snowden leaks is unknown, but apparently even if they did, it wasn't enough because in 2016 another hacker group, who call themselves The Shadow Brokers, were able to hack the NSA's computers and steal many of the exploit software developed by the Equation Group. The latter might consist of some of the top hackers and developers in the world, but apparently even they were not immune to being hacked themselves. Or, at a minimum, the servers where their software was stored (which might actually not be a fault of theirs, depending on who within the NSA was tasked with developing and maintaining those servers. If it was the same admins that allowed Snowden to just access and copy the top-secret documents, who knows.)
Perhaps the most famous exploit software that they stole and leaked was one codenamed EternalBlue, which was an implementation of a zero-day exploit of Windows that allowed running code on any Windows computer remotely (by exploiting a bug in Window's implementation of the SMB protocol that existed at the time.) It became famous because that code was used to create the infamous WannaCry ransomware, and later the (perhaps somewhat less famous) NotPetya, which caused even more damage.
There's evidence to show that the NSA had sat on (and probably used) that EternalBlue exploit for at least five years before it was stolen and leaked, allowing Microsoft to become aware of the bug and patch it. If it hadn't been stolen, it would have probably been gone unpatched for several more years.
Unsurprisingly, Microsoft issued severe criticism of this "stockpiling of zero-day exploits" by the NSA, as it keeps regular citizens vulnerable to exploits that have been found but are deliberately being undisclosed. The amount of damage caused by the several malware that were using EternalBlue is estimated to be at least 1 billion dollars.
Anyway, given all of this, an interesting question arises: Can the Equation Group be classified as "white hat", "black hat" or "grey hat" hackers?
The term "white hat hacker" is used to describe a hacker who tries to find hacks, exploits and vulnerabilities in software and hardware with the full intent of disclosing them to the manufacturers as quickly as possible, and with zero intent of abusing those exploits himself. Usually he will inform the manufacturers well in advance before disclosing the vulnerability to the public, to give the manufacturers time to patch their systems. These hackers try to always remain within legal limits. Many "white hat" hackers are actually outright employed by companies to find vulnerabilities in their own systems, and thus are doing it with full permission (and even paid for it.)
The term "black hat hacker" is, rather obviously, used to describe the opposite: In other words, a hacker who tries to find these vulnerabilities in order to either exploit them himself, or to sell them in the hacker black market to others (useful zero-day exploits, especially those that allow full access to any computer system, are incredibly valuable in the black market, and could fetch a price of tens of thousands of dollars, or even more.)
The term "grey hat hacker" is a bit fuzzier, and the definition depends a bit on who you ask. One common definition is a hacker who has no intent to abuse the exploits he finds (nor sell them to anybody), but has no qualms about breaking the law in order to find them (for example illegally breaking into the computer system of a company, or even and individual person, in order to gain access to more information that could help find even more vulnerabilities.) Some "grey hat hackers" might have primarily good intentions and think of breaking the law (eg. by illegally breaking into computers) as justified for the greater good (ie. discovering and disclosing vulnerabilities.) Other such hackers might just do it for the thrill, even if they don't have any intention of actually abusing the vulnerabilities they find any further (other than eg. rummaging around in the servers of a company) but with no intent to disclose those vulnerabilities either. Maybe they do a bit like the NSA does, ie. "stockpiling" knowledge and vulnerabilities that they might discover.
"Grey hat" might also be used to describe a hacker who illegally exploits computer systems in order to achieve something that's deemed a good thing, even if doing so is illegal. For example, not to disclose the exploits itself, but to disclose some incriminating information about the company or person, such as evidence of a crime they have committed. A bit like modern-day "Robin Hoods" who go against the law in order to fight evil.
So, in light of all of this, is the Equation Group a "white hat", "black hat" or "grey hat" hacker team? I think arguments could be made for all three:
1) They are "white hat" hackers because what they are doing is not illegal, and they are doing it on behest of the government for national security, to combat foreign threats. By the very fact that it's not illegal, it's not against the law, they are "white hats". It's in essence no different from a company hiring a hacker to find vulnerabilities in their systems. Not disclosing the vulnerabilities is in essence no different from for example not disclosing the locations and activities of spies performing activities in foreign countries, which is acceptable for national security reasons.
2) They are "black hat" hackers because they illegally exploit systems and not disclosing vulnerabilities is unethical, irresponsible and puts people in danger (which might even be considered criminal negligence.) Their research of vulnerabilities is not done to help people, but quite explicitly to exploit those vulnerabilities. Just because they might not be prosecuted by the government doesn't mean they aren't actually breaking the law, it's merely the government looking the other way and excusing it as being "for national security" (just like their spies murdering enemies in foreign countries.) Being endorsed by the government doesn't make them any less of "black hat" hackers, it simply makes them "government black hat" hackers.
3) They are "grey hat" hackers because even if what they are doing might be technically illegal, or at least ethically questionable, they are doing it for a good goal: That of protecting their country from foreign threats. There is no evidence that they are using these exploits for abuse their own citizens and compatriots. They are using these exploits to protect their compatriots. Even if the government sometimes might use these hacks to abuse their own citizens, that's most likely not the fault of the hackers themselves who discovered these vulnerabilities. It's very possible that they don't even know what their software is being used for in great detail. They may well have good intentions behind their work, ie. help protect their own country.
