ID: IRCNE2015022427
Date: 2015-02-18
According to “ComputerWorld” and “CNet”, a cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia.
Kaspersky Lab released a report Monday that said the tools were created by the "Equation" group, which it stopped short of linking to the U.S. National Security Agency.
The tools, exploits and malware used by the group -- named after its penchant for encryption -- have strong similarities with NSA techniques described in top-secret documents leaked in 2013.
Countries hit the most by Equation include Iran, Russia, Pakistan, Afghanistan, India and China. Targets in those countries included the military, telecommunications, embassies, government, research institutions and Islamic scholars, Kaspersky said.
Kaspersky's most striking finding is Equation's ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software.
The malware reprograms the hard drive's firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn't affect it, and the hidden storage sector remains.
"Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability," said Costin Raiu, director of Kaspersky Lab's global research and analysis team, in a phone interview Monday.
Drives made by Seagate Technology, Western Digital Technologies, Hitachi, Samsung Electronics and Toshiba can be modified by two of Equation's hard disk drive malware platforms, "Equationdrug" and "Grayfish."
The report said Equation has knowledge of the drives that goes way beyond public documentation released by vendors.
Equation knows sets of unique ATA commands used by hard drive vendors to format their products. Most ATA commands are public, as they comprise a standard that ensures a hard drive is compatible with just about any kind of computer.
But there are undocumented ATA commands used by vendors for functions such as internal storage and error correction, Raiu said. "In essence, they are a closed operating system," he said.
Obtaining such specific ATA codes would likely require access to that documentation, which could cost a lot of money, Raiu said.
The ability to reprogram the firmware of just one kind of drive would be "incredibly complex," Raiu. Being able to do that for many kinds of drives from many brands is "close to impossible," he said.
"To be honest, I don't think there's any other group in the world that has this capability," Raiu said.
It appears Equation has been far, far ahead of the security industry. It's almost impossible to detect this kind of tampering, Raiu said. Reflashing the drive, or replacing its firmware, is also not foolproof, since some types of modules in some types of firmware are persistent and can't be reformatted, he said.
Given the high value of this exploitation technique, Equation very selectively deployed it.
"During our research, we've only identified a few victims who were targeted by this," Kaspersky's report said. "This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances."
- 2