Security Advisor

New Government-Linked Spyware Found in Hard Drive Firmware

The malware used is impossible to remove from infected devices, according to Kaspersky Lab.

According to a report released on Monday by Russian security vendor Kaspersky Lab, a sophisticated malware agent found in the firmware of popular hard drives has been discovered.

The malware is apparently used for cyber eavesdropping and the security firm said that it has found hints of it being included in many popular hardware brands including Western Digital, Toshiba and Seagate, to name a few.

While the Kaspersky Lab report did not explicitly name any connection to the National Security Agency or any other U.S.-operated cyber intelligence initiative, the company said the group responsible, named "Equation," is also connected to other high-profile espionage cases, including Stuxnet, which reportedly was a government-led operation that shut down specific Iranian nuclear facilities with malware in 2008.

Also strengthening the link is the fact that this week's revealed malware operates in a similar manner to that used by the NSA and other government bodies to infiltrate other hardware devices like routers. The malicious code is secretly inserted in the firmware where it creates hidden folders that records network and data information and is only accessible by a custom API. The code is buried so deeply that disk formatting and OS reinstallation will not remove it, and it is near impossible to detect the malware when scanned.

And due to the complex nature of hiding the code in the firmware, it is believed the malware was developed using internal source code information straight from the hard drive manufacturers. In an interview with Reuters, Costin Raiu, researcher with Kaspersky Labs, said that without specific proprietary information straight from the manufacturers, a malware operation this complex would be impossible. "There is zero chance that someone could rewrite the [hard drive] operating system using public information," said Raiu.

The researchers at the security firm said that the infiltration of popular hard drives is the most sophisticated cyber intelligence resource the Equation group has developed. "This is perhaps the most powerful tool in the Equation group's arsenal and the first known malware capable of infecting the hard drives," read the report.

Kaspersky Labs also revealed another agent that has been used by the group for years -- the Fanny worm. This Trojan worm was designed to retrieve information from an infected system and transmit topography information of a targeted network so that an exploit can be created to breach the system.

"Over the past years, the Equation group has performed many different attacks," read the report.  "One stands out: the Fanny worm. Presumably compiled in July 2008, it was first observed and blocked by our systems in December 2008. Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet."

Kaspersky Labs said that the majority of those systems discovered with the Fanny worm or with the compromised hard drives have been located in China, Russia, Iran and Pakistan. There has been no evidence of any U.S.-based systems being targeted.

About the Author

Chris Paoli is the site producer for and


  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

  • Microsoft Previews New Edge Browser on Windows 7 and Windows 8.1

    Microsoft announced this week that it has released previews of its Chromium-based Microsoft Edge Web browsers for use on Windows 7, Windows 8 and Windows 8.1 systems.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.