The Russian cybersecurity company recently disclosed the presence of the “Equation Group.”
The Moscow-based security company recently revealed that it had found thousands of computers infected with spying software deep within the hard drives made by Samsung, Western Digital, Seagate and other major manufacturers. Kaspersky has deemed the organization the “Equation Group” yet remain convinced that it is the NSA that is truly behind the infection of computers in about 30 countries. Of these countries, Iran saw the most infections followed by Russia, Pakistan, Afghanistan, China and other “enemies.”
Is the NSA “Equation Group?”
Judging by the countries most infected and the computers targeted it would not be a stretch to think that the NSA was responsible for the targeting of computers belonging to telcoms, banks, military institutions, media, energy companies, and nuclear researchers.
A former NSA employee recently told Reuters that Kaspersky’s claims were accurate and that the NSA had indeed been deeply embedding spywhere in hard drives for nearly a decade. The group shared their findings at a security conference in Cancun, Mexico on Monday. This disclosure and the published technical details, could make it easier for those affected to begin to take steps to avoid this surveillance.
How did the NSA do it?
Once the software was hid in hard drives, the malware begins to reprogram the hard drive’s firmware. Through the use of secret APIs (application programming interfaces), the malware creates hidden sectors of the drive for it to live. Once this is done, the reformatting of the hard drive or the re-installation of the operating system would not be enough to remove the malware. Essentially, the Equation Group made malware permanent as long as the affected computer continues to use the infected hard drive.
“Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team said on Monday.
Not surprisingly, the NSA has not commented on Kaspersky’s findings.
Only the NSA would have access to the APIs
A few hard drive manufacturers have denied providing the NSA with the source code (API) while others have not commented on the matter, but Kaspersky remains unconvinced.
“There is zero chance that someone could rewrite the [hard drive] operating system using public information,” Raiu said.
It’s believed that the NSA has various means to obtain source codes either directly or indirectly. Sometimes they simply ask, other times they pass themselves off as software developers. Additionally, if a company receives a contract with the Pentagon or other security conscious agency, the U.S. government can request a security audit that would give them access to the source code.
“They don’t admit it, but they do say, ‘We’re going to do an evaluation, we need the source code,'” said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst according to Reuters. “It’s usually the NSA doing the evaluation, and it’s a pretty small leap to say they’re going to keep that source code.”