Security Advisor

New Government-Linked Spyware Found in Hard Drive Firmware

The malware used is impossible to remove from infected devices, according to Kaspersky Lab.

According to a report released on Monday by Russian security vendor Kaspersky Lab, a sophisticated malware agent found in the firmware of popular hard drives has been discovered.

The malware is apparently used for cyber eavesdropping and the security firm said that it has found hints of it being included in many popular hardware brands including Western Digital, Toshiba and Seagate, to name a few.

While the Kaspersky Lab report did not explicitly name any connection to the National Security Agency or any other U.S.-operated cyber intelligence initiative, the company said the group responsible, named "Equation," is also connected to other high-profile espionage cases, including Stuxnet, which reportedly was a government-led operation that shut down specific Iranian nuclear facilities with malware in 2008.

Also strengthening the link is the fact that this week's revealed malware operates in a similar manner to that used by the NSA and other government bodies to infiltrate other hardware devices like routers. The malicious code is secretly inserted in the firmware where it creates hidden folders that records network and data information and is only accessible by a custom API. The code is buried so deeply that disk formatting and OS reinstallation will not remove it, and it is near impossible to detect the malware when scanned.

And due to the complex nature of hiding the code in the firmware, it is believed the malware was developed using internal source code information straight from the hard drive manufacturers. In an interview with Reuters, Costin Raiu, researcher with Kaspersky Labs, said that without specific proprietary information straight from the manufacturers, a malware operation this complex would be impossible. "There is zero chance that someone could rewrite the [hard drive] operating system using public information," said Raiu.

The researchers at the security firm said that the infiltration of popular hard drives is the most sophisticated cyber intelligence resource the Equation group has developed. "This is perhaps the most powerful tool in the Equation group's arsenal and the first known malware capable of infecting the hard drives," read the report.

Kaspersky Labs also revealed another agent that has been used by the group for years -- the Fanny worm. This Trojan worm was designed to retrieve information from an infected system and transmit topography information of a targeted network so that an exploit can be created to breach the system.

"Over the past years, the Equation group has performed many different attacks," read the report.  "One stands out: the Fanny worm. Presumably compiled in July 2008, it was first observed and blocked by our systems in December 2008. Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet."

Kaspersky Labs said that the majority of those systems discovered with the Fanny worm or with the compromised hard drives have been located in China, Russia, Iran and Pakistan. There has been no evidence of any U.S.-based systems being targeted.

About the Author

Chris Paoli is the site producer for and


  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.