Noted cybersecruity firm Kaspersky Lab has discovered evidence of advanced spyware likely tied to the National Security Agency embedded deep in hard drives from more than a dozen manufacturers worldwide.
According to the Moscow-based firm, which released a report detailing the threat Monday, the spyware is able to reprogram the firmware of infected hard drives and inject the computers they’re built into with highly effective and evasive malware, adept at gathering information and avoiding detection.
Attributed to hackers dubbed “The Equation Group” by Kaspersky, the threat “surpasses anything known in terms of complexity and sophistication of techniques,” and has been active in major hard drives manufactured by Western Digital, Seagate, Toshiba and others in more than 30 countries over the last 20 years.
The suite of surveillance platforms has been behind more than 500 attacks against military and government institutions, banks, telecommunications companies, energy companies, Islamic activists and media in Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen, Algeria and others.
According to Kaspersky, the number of attacks is likely much higher — possibly in the tens of thousands — but self-destruct mechanisms embedded in the infections makes the true number virtually uncountable.
While the firm did not mention the NSA by name in its report, Equation Group was linked to the Stuxnet virus deployed by the signals intelligence agency between 2007 and 2008 to sabotage Iranian uranium enrichment centrifuges, which successfully destroyed about one-fifth of the country’s nuclear enrichment infrastructure.
Spokespersons for both Western Digital and Seagate deny sharing their hard drives’ source code with the government. However, a former NSA analyst confirmed to Reuters that the NSA has ways of obtaining the source code for hard drives from companies, including “posing as a software developer” or requesting a security audit for a proposed purchase.
“They don’t admit it, but they do say, ‘We’re going to do an evaluation, we need the source code,'” former NSA analyst Vincent Liu said in the report. “It’s usually the NSA doing the evaluation, and it’s a pretty small leap to say they’re going to keep that source code.”
Kaspersky’s report also details the existence of an Equation Group tool known as the “Fanny” worm, which is used to surveil computer networks not connected to the Internet. The worm is installed in secret compartments on intercepted USB sticks or CD-ROMS, and infects such “air-gapped” networks when inserted into a computer on that network. The worm then transmits the information it gleaned back to Equation after it’s plugged into an Internet-connected computer again.
Vulnerabilities uncovered by Fanny were later found to have been exploited by Stuxnet.