The US National Security Agency has been hiding spyware within the firmware of hard-disk drives made by Seagate, Samsung, Toshiba, and Western Digital – and other major manufacturers – in a spy programme that has been running for almost 20 years, according to security software company Kaspersky.
Kaspersky claims to have found the spyware lurking in the firmware of PC hard-disk drives in as many as 30 countries worldwide, with Iran the most affected country. PCs in Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria were also affected. The targets included government and military institutions, telecoms companies, banks, energy companies, nuclear researchers, media, and Islamic activists.

Kaspersky claims that the attacks – which it has dubbed “the Equation group” – may date back to as long ago as 1996 – but were certainly being conducted from 2001. “The Equation group uses multiple malware platforms, some of which surpass the well-known ‘Regin’ threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen,” claims the report from Kaspersky.
It continues: “In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and Advanced Encryption Standard (AES) too, in addition to other cryptographic functions and hashes.
“One technique in particular caught our attention and reminded us of another complex malware, Gauss. The GrayFish loader uses SHA-256 one thousand times over the unique NTFS object ID of the victim’s Windows folder to decrypt the next stage from the registry. This uniquely ties the infection to the specific machine, and means the payload cannot be decrypted without knowing the NTFS object ID,” explains the report.
The company claims to have identified several malware platforms within the Equation group. These include:
• EquationDrug: A complex attack platform used by the group on its victims. It supports a module plug-in system, which can be dynamically uploaded and unloaded by the attackers;
• DoubleFantasy: A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they are upgraded to a more sophisticated platform, such as EquationDrug or GrayFish;
• Equestre: Same as EquationDrug;
• TripleFantasy: Full-featured backdoor, sometimes used in tandem with GrayFish. Looks like an upgrade of DoubleFantasy, and is possibly a more recent validator-style plug-in;
• GrayFish: The most sophisticated attack platform from the Equation group. It resides completely in the registry, relying on a bootkit to gain execution at operating system start-up;
• Fanny: A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EquationDrug system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet;
• EquationLaser: An early implant from the Equation group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DoubleFantasy and EquationDrug.
A victim doesn’t immediately get infected with EquationDrug, claims Kaspersky. First, the attackers infect them with DoubleFantasy, which is a validator-style plug-in. If the victim is confirmed as interesting to the attackers, the EquationDrug installer is delivered.
“GrayFish is the most modern and sophisticated malware implant from the Equation group. It is designed to provide an effective (almost “invisible”) persistence mechanism, hidden storage and malicious command execution inside the Windows operating system,” claims Kaspersky.
It continues: “By all indications, GrayFish was developed between 2008 and 2013 and is compatible with all modern versions of Microsoft’s operating systems, including Windows NT 4.0, Windows 2000, Windows XP, Windows Vista, Windows 7 and 8 – both 32-bit and 64-bit versions.
“To store stolen information, as well as its own auxiliary information, GrayFish implements its own encrypted Virtual File System (VFS) inside the Windows registry. To bypass modern OS security mechanisms that block the execution of untrusted code in kernel mode, GrayFish exploits several legitimate drivers, including one from the CloneCD program. This driver (ElbyCDIO.sys) contains a vulnerability which GrayFish exploits to achieve kernel-level code execution. Despite the fact that the vulnerability was discovered in 2009, the digital signature has not yet been revoked,” claims the report.
The 44-page report by Kaspersky may lend weight to long-running claims that software vendors have colluded with US authorities by leaving particular vulnerabilities unpatched, or even providing backdoors into their systems that can subsequently be exploited by the NSA.
A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. “Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it,” reported the news agency.
The NSA refused to publicly comment on the report.

Leave a Reply