Security Advisor

New Government-Linked Spyware Found in Hard Drive Firmware

The malware used is impossible to remove from infected devices, according to Kaspersky Lab.

According to a report released on Monday by Russian security vendor Kaspersky Lab, a sophisticated malware agent found in the firmware of popular hard drives has been discovered.

The malware is apparently used for cyber eavesdropping and the security firm said that it has found hints of it being included in many popular hardware brands including Western Digital, Toshiba and Seagate, to name a few.

While the Kaspersky Lab report did not explicitly name any connection to the National Security Agency or any other U.S.-operated cyber intelligence initiative, the company said the group responsible, named "Equation," is also connected to other high-profile espionage cases, including Stuxnet, which reportedly was a government-led operation that shut down specific Iranian nuclear facilities with malware in 2008.

Also strengthening the link is the fact that this week's revealed malware operates in a similar manner to that used by the NSA and other government bodies to infiltrate other hardware devices like routers. The malicious code is secretly inserted in the firmware where it creates hidden folders that records network and data information and is only accessible by a custom API. The code is buried so deeply that disk formatting and OS reinstallation will not remove it, and it is near impossible to detect the malware when scanned.

And due to the complex nature of hiding the code in the firmware, it is believed the malware was developed using internal source code information straight from the hard drive manufacturers. In an interview with Reuters, Costin Raiu, researcher with Kaspersky Labs, said that without specific proprietary information straight from the manufacturers, a malware operation this complex would be impossible. "There is zero chance that someone could rewrite the [hard drive] operating system using public information," said Raiu.

The researchers at the security firm said that the infiltration of popular hard drives is the most sophisticated cyber intelligence resource the Equation group has developed. "This is perhaps the most powerful tool in the Equation group's arsenal and the first known malware capable of infecting the hard drives," read the report.

Kaspersky Labs also revealed another agent that has been used by the group for years -- the Fanny worm. This Trojan worm was designed to retrieve information from an infected system and transmit topography information of a targeted network so that an exploit can be created to breach the system.

"Over the past years, the Equation group has performed many different attacks," read the report.  "One stands out: the Fanny worm. Presumably compiled in July 2008, it was first observed and blocked by our systems in December 2008. Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet."

Kaspersky Labs said that the majority of those systems discovered with the Fanny worm or with the compromised hard drives have been located in China, Russia, Iran and Pakistan. There has been no evidence of any U.S.-based systems being targeted.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube