The US National Security Agency (NSA) hid undetectable spying software within the hard drives of computers, be it of any make, says a Moscow-based cyber security researcher and software maker.
Several personal computers (more than tens of thousands) in more than 30 countries were infected with one or more of the spying programs, said Kaspersky Lab, the Russian security software maker. The infections were most prevalent in Iran, Russia, Pakistan, Afghanistan, India, China, Mali, Syria, Yemen and Algeria and were going on since more than a decade.
The spyware targeted government and military institutions, telecommunication companies, banks, research and defense institutions, nuclear researches, media and Islamic activists.
The spies, dubbed as Equation Group by researchers because of their affinity for encryption formulae and algorithms, lodged malicious software in the obscure code called firmware. Disk drive firmware is a very precious part of a PC next to BIOS and launches every time a computer is turned on.
“The hardware will be able to infect the computer over and over,” said Costin Raiu, the lead Kaspersky researcher.
Once lodged, the spies had complete control of the system. One of its malware platforms was capable of rewriting the hard drive firmware of the infected computers. It created a secret storage vault that could survive military-grade disk wiping and reformatting. The breach could not be detected even through layers of anti-virus programs.
Reuters reported that the group also used various means to spread the infection such as compromising jihadi websites, infecting USB sticks, CDs, and developing a self-spreading computer worm [Fanny].
“It’s very dangerous and bad because once a hard drive gets infected with this malicious payload it’s impossible for anyone, especially an antivirus [provider], to scan inside that hard drive firmware. It’s simply not possible to do that,” he added.
The authors of the spying program must have had access to the proprietary source code directing the actions of the hard drives because it is almost impossible for someone to “rewrite the 1/8hard drive 3/8 operating system using public information.”
“This is an incredibly complicated thing that was achieved by these guys, and they didn’t do it for one kind of hard drive brand,” Raiu said.
The operators of the still-active spying campaign could infect machines of any make, which include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.
Western Digital spokesman Steve Shattuck denied sharing any source code with any government agencies.
Likewise, Segate and Micron also denied that their products could be compromised and that they were quite secure against any tampering or reverse engineering.
Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.
Although the firm denied divulging the country behind the cyberespionage, it hinted that the country was linked to Stuxnet, the NSA-led cyberweapon that attacked Iran’s uranium enrichment facility and destroyed almost one-fifth of the country’s nuclear centrifuges.
A former NSA employee did confirm the lab’s analysis, while another intelligence operative agreed that NSA had developed technique of hiding spyware in hard drives.
However, NSA spokeswoman Vanee Vines declined to comment.
The company published the technical details of its research on Monday to help the infected institutions take preventive and corrective measures.
The disclosure may further tarnish and damage NSA’s surveillance abilities, which have been already constrained following leaks of the classified files by Edward Snowden, a former NSA contractor.