Equation Group (NSA) malware hides into HDD/SSD firmware

Posted on Tuesday, Feb 17 2015 @ 13:15 CET by Thomas De Maesschalck
Security researchers from Kaspersky Labs exposed a highly sophisticated cyber espionage operation that invades the firmware of hard drives built by all major manufacturers. Once a hard drive was infected, the malware runs every time you boot the computer and unlike traditional malware it can't be removed simply be formatting and reinstalling an OS. This is not the only feat Kaspersky discovered, but the ability to infect HDD firmware in the wild makes the Equation Group one of the most advanced threat actors the security firm has ever seen.

Earlier versions of the malware supported Maxtor, Seagate, WD, and Samsung but newer, upgraded modules added support for HGST, IBM, Hitachi, ExcelStor, Micron, Toshiba, OCZ, OWC, Corsair and Mushkin so pretty much all storage devices, including SSDs, can be infected. Kaspersky does note that the firmware reprogramming appears to be extremely rare, they've only identified a few victim who were targeted by this kind of attack. The firm speculate the Equation Group reserves HDD reprogramming for the most valuable victims or for some very unusual circumstances.

The malware originates from the "Equation Group", an organisation believed to have ties with the US government, and Kaspersky claims the complexity and scale of the operation makes Stuxnet seem like child play. A 44-page long report that details Kaspersky's findings can be read over here (PDF). Reuters spoke to its sources and received confirmation that the NSA is behind these attacks.

Victims of the Equation group were observed in more than 30 countries, including Iran , Russia , Syria , Afghanistan , Kazakhstan , Belgium , Somalia , Hong Kong , Libya , United Arab Emirates , Iraq , Nigeria , Ecuador , Mexico , Malaysia , United States , Sudan , Lebanon , Palestine , France , Germany , Singapore , Qatar , Pakistan , Yemen , Mali , Switzerland , Bangladesh , South Africa , Philippines , United Kingdom , India and Brazil .
Equation has been active perhaps as early as 1996, but it boosted its operations in 2008, developing several incredibly powerful cyberweapons, Kaspersky named these tools Equationdrug, Doublefantasy, Triplefantasy, Grayfish, Fanny and Equationlaser. Together, this malware suite was able to infect Windows computers, USB sticks and even hard drive firmware, letting Equation steal data from targeted computers and stay undetected for years.


All in all, Kaspersky counted more than 500 infections globally, many on important, server-type machines. However, infections have a self-destruct mechanism, meaning there may have been many more, which are now undetectable.
Equation Group map

Source: Mashable

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments