NSA accused of embedding spyware in hard disks
All major vendors’ firmware infiltrated, former operatives point fingers at agency
Russian researchers have accused the US National Security Agency of embedding monitoring malware in the hard-disk firmware of major vendors, in an attempt to broaden the spy unit's global surveillance net, Reuters reported.
Moscow-based cyber security specialist Kaspersky Lab said its analysis showed the spyware was compatible with disk firmware from more than a dozen companies, covering the majority of the magnetic HDD market. Companies include Western Digital, Seagate Technology, Toshiba, IBM, Micron Technology and Samsung Electronics.
Kaspersky claimed to have found the malware on PCs in 30 countries, with the highest incidence found in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. Target organisations included government departments, military branches, telecoms companies, banks, energy companies, nuclear researchers, media, and Islamic activists.
While Kaspersky did not name the country responsible for the operation, only referring to the architects as "the Equation group", it said the malware was closely linked to Stuxnet, the worm blamed for the disabling of Iran's uranium centrifuges in 2010. Stuxnet was widely reported to be the handiwork of Israeli and US architects and the NSA has been accused of being the ringleader in the campaign.
Reuters also cited sources formerly employed by the NSA, one of whom said the agency was very interested in the type of cyber espionage programmes described by Kaspersky. Another claimed the NSA had pioneered the technique of embedding spyware in hard drives, but could not confirm if the NSA was behind the campaign uncovered by Kaspersky.
Kaspersky's report, published yesterday, includes technical details on the malware that would allow organisations to detect its presence. Some infections could date back as far as 2001.
Continues on next page>>
Sales of US products abroad have already felt the pinch from 2013 revelations by Edward Snowden, an NSA contract employee who fled Hawaii with a trove of sensitive documents.
Second only to BIOS, disk-drive firmware is the most attractive proposition on a PC for spyware writers.
"The hardware will be able to infect the computer over and over," said Costin Raiu, lead researcher with Kaspersky.
Raiu said the malware had the potential to infect thousands of machines the world over, but had been designed to be selective, going after the most high-value targets. Stuxnet was also an extremely selective threat, infecting Windows machines, but doing nothing until it found a machine running a specific version of a specific Seimens industrial control system.
Raiu also said the malware creators would have needed access to manufacturers' source code to be able to indentify vulnerabilities and infect firmware efficiently.
"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.
Reuters said Western Digital, Seagate and Micron claimed to have no knowledge of the spyware. Toshiba and Samsung declined to comment and IBM did not respond to requests for comment.
Western Digital "has not provided its source code to government agencies", according to spokesman Steve Shattuck. Other manufacturers would not say if they had shared source code with the NSA.
Continues on next page>>
Seagate has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies", said spokesman Clive Over. Daniel Francisco, speaking for Micron, said "we are not aware of any instances of foreign code".
Reuters' intelligence sources said there were a number of ways the NSA could have obtained firmware source code without the co-operation of the manufacturers. The NSA could have posed as a software company requiring the code for integration purposes. Also, in the event that a manufacturer wanted to do business with the Pentagon, officials could demand a security audit of their products, which would include all source code.
"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, partner at security consulting firm Bishop Fox and a former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."
Kaspersky said the Equation group used a number of methods to spread other spying malware. The group infiltrated jihadist websites, infected USB sticks and CD media, and developed a self-propagating worm called Fanny, similar to Stuxnet. Raiu said it was "quite possible" that Equation used Fanny to scout targets for Stuxnet in Iran.