NSA may be linked to hard drive firmware hacking across 12 major manufacturers
Tue 17 Feb 2015
Russian security firm Kaspersky has presented strong evidence that the National Security Agency (NSA) has been involved in a globally-organised hacking campaign aimed at the firmware of hard drives.
Kaspersky put forward the possibility of ‘tens of thousands of victims’ in over 30 countries, with victims centred in critical fields including aerospace, nuclear research, government, telecommunications, Islamic activists, energy, and industries and concerns relating to finance, encryption technologies and infrastructure supply chains.
The infection takes place at the firmware level of hard disk drives from over a dozen major and popular HD manufacturers. Though hard drives are subordinate to their controlling operating system, they have their own operating systems, which communicate with the rest of the computer in question during boot-up – the most critical and vulnerable phase of the end-user’s interaction with their computer.
The Director of the Global Research and Analysis Team Costin Raiu observed that not only is the malicious payload resistant to any interference at boot-time, but that it can not even be read in normal conditions: “[For] most hard drives there are functions to write into the hardware firmware area,” says Raiu. “but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.”
Though Kaspersky cannot directly connect the actors they dub ‘The Equation Group’ directly to the NSA, it contends that the malicious firmware rewrites – which distribute a malware called the ‘Fanny worm’ – are solidly associated with the NSA-originated Stuxnet weapon used in a cyber-attack on a Uranium enrichment facility in Iran.
Reuters claims to have heard from an ex-NSA employee who confirms the verity of the Kaspersky report. A separate source at Reuters re-confirmed that the NSA has developed ‘the prized technique of concealing spyware in hard drives’, but could not identify which agency or department was making use of the capability.
The Fanny worm is designed to map the topology of air-gapped networks – groups of computers which are not directly connected to each other – by using the passage of infected USB sticks between the machines as the intermediary. Information retrieved by this method is sent back to a network of command-and-control (C&C) servers.
The report observes seven exploits attributable to the Equation Group, including one against the fork of the Firefox web browser which is used in the popular online encryption tool Tor.
The revelation seems likely to damage trade links between the west and east, most particularly China, which in 2014 decided to replace the IBM technology in its Tiansuo K1 system with Chinese-originated servers from Inspur.