Russian cyber security firm Kaspersky published a report last night (PDF) that reveals the notorious activities of a US cyber espionage group dubbed “Equation Group” which has used tools that somehow seem similar to ones used by another US intelligence agency NSA to infiltrate key institutions in countries including India, Pakistan, Iran, Russia among others. Also Read - Hackers are successfully attacking Gmail, Yahoo Mail and ProtonMail by beating two-factor authentication
The report reveals that the “Equation Group” embedded surveillance tools on the hard drives produced by a number of well-known manufacturers including Western Digital, Seagate, Samsung, Hitachi and Toshiba. Targets in the aforementioned countries include military, government, research institutions, telecommunications, among others. The report, however, couldn’t tell how many people were affected. Also Read - NSA is getting rid of hundreds of millions of call and text records collected under Freedom Act
In addition to the hard drives, the report claims, that the Group had the ability to indulge in low-level acts such as infect the interface between hardware and software. These malware — also true for the ones shipped with hard-drives — could only be accessed through a secret API. What’s even more scary is how difficult was it to get rid of the malware once affected. Kaspersky says that even disk reformatting or reinstalling the operating system won’t eliminate the malware. Also Read - NSA used Twitter to send coded messages to Russian spy: Report
Existing antivirus products and most security protocols are also incapable of removing the said malware. “If the malware gets into the firmware, it is able to resurrect itself forever,” Costin Raiu, a Kaspersky threat researcher, said in the report. “It means that we are practically blind and cannot detect hard drives that have been infected with this malware.”
The malware — two zero-day exploits — were also coded into Stuxnet, the security firm reveals. Stuxnet was a Windows worm which was triggered jointly by Israel and the United States to sabotage Iran’s uranium enrichment operations. The resemblance between them led Kaspersky to conclude that both NSA and Equation Group were either the same or had worked closely. These tools were designed to infiltrate “air-gapped” networks. (the systems that are not connected to the Internet.)
In addition to mingling hard drives with malware, the Equation Group also tampered with CDs meant to be sent to researchers and institutions. Kaspersky described one case where participants of a scientific conference were sent with the material of the conference. But these optical discs were tampered by the vicious group as they had added two zero-day exploits with the disk.
“We do not believe the conference organizers did this on purpose. At the same time, the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, don’t end up on a CD by accident,” the security firm noted in the report. The firm notes that Equation Group “surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades.”
In a statement to Reuters, a former intelligence worker confirmed that the NSA had built sophisticated techniques for hiding spyware on hard drives. The expertise required to find a workaround in firmware codes of so many reputed hard drive brands — the codes that are kept from the public — suggests that the hard drive companies could also be participating in it. “There is zero chance that someone could rewrite the [hard drive] operating system using public information,” said Raiu.