ITBusiness.ca

NSA behind ‘Equation group’ malware that infects hard drive firmware

Kaspersky's image for report on Equation Group

The U.S. National Security Agency (NSA) is likely behind a first-of-a-kind hack that is seeing spyware embedded onto the firmware of hard drives from major manufacturers, according to a report released by security vendor Kaspersky on Monday.

The Moscow-based firm didn’t identify any country as being behind the spyware campaign it has dubbed Equation. But it did say the spyware is closely linked to Stuxnet, a malware program that many suspect the U.S. used to infect an Iranian nuclear power plant. In fact, Kaspersky says it’s possible Equation was used to deliver Stuxnet. In a Reuters report, former NSA operatives confirm the agency has long held the ability to embed spyware onto hard drives.

Kaspersky says it has identified about 500 victims of the malware worldwide, but notes that since there is a built-in self-destruct mechanism, it is likely the numbers affected are much higher. But Canadians aren’t among those impacted by the malware, with the numbers highest in the Middle East and across Russia (see above map). Targets range from government organizations, military and telecommunication firms to banks, media, and energy companies.

Among the brands of hard drive makers that are prone to the malware are Western Digital, Seagate, Toshiba, and Samsung. The spyware traces back as far as 2001, and is compatible with all versions of Microsoft Windows, including Windows 8. Kaspersky also believes a Mac OS X version of the malware exists.

While many may be infected, those that are actually snooped on by the Equation group are few. Kaspersky says that a type of “validator” malware known as DoubleFantasy is infected as a first stage to see if a target is of interest or not. The malware is implanted on user machines using web browser vulnerabilities, and the malicious PHP script to deliver the payload was seen on Islamic Jihadist discussion forums and ads on popular Middle East websites.

The malware either had the ability to self-destruct if the target was not of interest, or to download higher-grade malware onto the system if the victim was deemed of interest.

Kaspersky discovered the Equation malware campaign when it was investigating a honey pot computer it had set up to attract high-level malware. It was investigating the already-known ‘Regin’ malware that is also considered to be used by espionage purposes by an unidentified group.

If you’re curious whether your systems are impacted by Equation, Kaspersky lists many of the indicators of compromise at the end of its report, including the command and control servers that are used by the malware to trigger different activity.

Exit mobile version