Kaspersky Lab says global hard drives compromised by NSA-led ‘The Equation Group’, spyware dates back to 2001
The National Security Agency knows how to plant secret snooping software into hard drives manufactured by Western Digital, Seagate, Toshiba, and others, giving the US initiative a means to spy on computers all around the globe, according to security researchers and former cyber espionage operatives.
The ability to hide the software deep in hard drives is just one of many different spying programs found by Russian security firm Kaspersky Lab, which declined to comment on the perpetrator’s origin. However, Kaspersky did say that the spying program is closely linked to Stuxnet, an NSA-created worm which attacked a nuclear plant in Iran.
But a former NSA employee told Reuters news agency that Kaspserky has hit the nail on the head, with other former secret operative confirming that the NSA was indeed behind the scheme to hide spyware in hard drives.
Kaspersky is calling the group of spying programs The Equation Group, and said that it is “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades”.
PCs in 30 countries were found to be infected by at least one of the spying programs in The Equation Group, with most infections founds in Iran. This was followed by Russia, Pakistan, and China. Most of the targets included governmental and military institutions, as well as telcos, banks, and Islamic activists.
Kaspersky said: “There are solid links indicating that The Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators – generally from a position of superiority. The Equation group had access to zero-days before they were used by Stuxnet and Flame, and at some point they shared exploits with others.”
Hard drives from vendors such as IBM, Samung, and Maxtor were also found to be compromised, and the revelations could chill relations between the West and the victims, relations already marred by the Snowden leaks.
Kaspersky said that by reprogramming the hard drive firmware, the spying software lays untouched by any disk formatting or OS reinstallation.
“Another dangerous thing is that once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware. To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” warned Costin Raiu, research director at Kaspersky Lab.
The program also gave the perpetrators the ability to create an invisible, persistent area hidden inside the hard drive. This is used to save exfiltrated information which can be later retrieved by the attackers.
Kaspersky said that the method of spying was a “technological breakthrough” because the perpetrators figured out “how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on”.
“Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up,” said that Russian firm.
How much do you know about hacking and viruses? Take our quiz here!