Worldwide Equation Group hid undetectable spyware on hard drives
In a new twist to the on-going NSA story, security firm Kaspersky Lab has discovered that a threat actor of previously unknown complexity and sophistication has been embedding surveillance software on hard drives produced by a number of well-known manufacturers. With names such as Western Digital, Seagate and Toshiba mentioned, and the reach of the spy program stretching to dozens of countries, it's not clear quite how many people may be affected.
Although Kapersky does not go as far as naming the NSA, or even specifying which country is responsible for the advanced surveillance, it seems that the spying campaign is somehow related to Stuxnet -- the tool used by the NSA to attack Iran -- and the Flame group.
The Russian security company uncovered a series of spying programs. It said that it had detected two modules that allowed for the firmware of hard drives to be reprogrammed, and that systems in more than 30 countries had been uncovered by the investigations. Those that have fallen victim include governments, military, energy companies, and even Firefox.
One of the reasons the US government's surveillance activities have been criticized so much is down to the dragnet approach that has been adopted -- data about entirely innocent people is collected as well as 'legitimate' targets. Installing spyware on hard drives allows for slightly more targeted surveillance, but this is unlikely to quell the fears of those concerned about privacy.
A former intelligence worker confirmed to Reuters that the NSA has successfully developed techniques for hiding spyware on hard drives. Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, Costin Raiu said:
Once the hard drive gets infected with the malicious payload, it is impossible to can its firmware. To put it simply: for most hard drives there are function to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.
With infected machines found in the likes of Russia, Afghanistan, China, Syria and Yemen, it amounts to a massive spying operation. There is the possibility that Kaspersky Lab's discoveries and revelations could have an impact on relations between the West and other parts of the world. Fingers of suspicion will almost certainly be pointed at hard drive manufacturers. While Toshiba, IBM and Samsung offered no comment, Western Digital, Seagate and Micron denied knowledge of the spying programs.
Raiu explains that the coders behind the malware must have had access to the source code of hard drives, although this is something that manufacturers would ordinarily guard ferociously. In what is described as an "astonishing technical accomplishment", the Equation group's ability to "reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM" is explained over on SecureList.
There is the promise of more details over the coming days, and this could include some very revealing information.