Infected hard drive firmware allows just about anyone to spy on you


According to anti-virus maker Kaspersky, we could all be at risk of being spied on by a hacker group called Equation Group, a rogue element in the computer industry that has been responsible for a few viruses before. It has been rumored that this same group does work on behalf of several companies, governments and individuals who need access to some very strong software to get the information that they want. Kaspersky warns in a blog post that the group has infiltrated the firmwares of several hard drive manufacturers and has access to just about anything and everything ever stored on it. Hit the jump for more info.

The worst part about the revelations of the trojan horse sitting in the drive’s firmware is that there’s pretty much no way you’d ever be able to know that you were infected. The Equation Group has been known for at least six trojan horses in the past two decades and Kaspersky’s findings are that the infections of hard drive firmware have been ongoing since 2001. Kaspersky says that their Global Research and Analysis Team recently got their hands on two of the programming modules for the Equation Group’s firmware hacks and are in the process of analysing their uses and reverse-engineering the code in order to figure out how the other firmware hacks might function.

equation group

All of the above names are the names of trojan horses created by Equation Group. They all reside in the infected firmwares of hard drives and they all do very different things. The underlying viruses to allow these kinds of attacks are the EquationLaser, DoubleFantasy and TripleFantasy. Kaspersky says that in their analysis of the systems, if all three exploits do not give the trojans access to the operating system or the data held on the drive, no exploits are carried out.

Fanny, for example, will execute commands silently, with the operating system remaining oblivious, through the use of a USB drive that has a hidden partition containing commands and instructions for the Fanny virus. Once the USB drive was plugged in, it would execute the commands, save whatever data was captured onto the hidden partition and later upload that data to a remote server once plugged in to a computer with an internet connection.

“We are practically blind, and cannot detect hard drives that have been infected by this malware.” – Kaspersky

Kaspersky says that they’ve been studying Equation Group since they discovered the hacked firmware, and continue to discover new uses for the software. One of these is allowing for the installation of key loggers into the system, or saving the decryption key of an encrypted hard drive for later use. It also opens up an attack vector for others like the Stuxnet virus, or various botting systems that take control of your computer and hook it up into a botnet on the internet. The Equation Group  on its own commands more than 100 servers and 300 domains on the internet.

Another worry is that the GrayFish trojans are particularly destructive to any sort of national security. GrayFish can take over a hard drive’s partitions, upload them to a remote server and refuse any access to data stored on the drive, going as far as to lock out the partition completely. When used in conjunction with Fanny, GrayFish can uploaded an encrypted set of data to a server and Fanny can provide the decryption key for the data, and all the while it will happen completely transparently to the user.

“Once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.” To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.”

What can you do?

Well, there’s nothing we can do. Nothing. Seriously, if a hacker group is embedding their code into the drive’s firmware BEFORE it even reaches distributors, then they’re already so powerful and have so much clout with governments, and the organisations who are involved in the manufacture and distribution of data storage devices, that nothing short of a miracle will break down the system. There’s no way to tell if you’ve been infected. There’s no way of getting rid of the infection except to destroy the hard drive and buy a new one. There’s a chance that you have an infected drive, but you just won’t know it.

To date, the firmware hacks used by the Equation Group have been spread to infect hard drives in as much as 30 countries worldwide in the fields of Government and diplomatic institutions, Telecommunications, Aerospace, Energy, Nuclear research, Oil and Gas, Military, Nanotechnology, Islamic activists and scholars, Mass media, Transportation, Financial institutions and companies developing encryption technologies. Thousands and thousands of hard drive infections, with thousands more waiting to be used.

There isn’t even a method of escape, because the attacks carried out by Equation Group aren’t publicised and occur in the digital and real world. Kasperky’s data only pertains to hard drives for now, but they claim to have seen similar hacks into the firmware of USB flash drives, CD/DVD drives and its possible that they’ll stumble onto infected SSDs as well. The antivirus creator says their work into the matter is ongoing and they will share more knowledge on the drive firmware hacks as they become more familiar with the code and technologies in use.

Source: Kaspersky Labs