Deep spy finding puts eyes in the hard drive
The NSA – the US digital spy agency – appears to have broken new ground in its level of computer surveillance.
Experts say the NSA can implant spyware within the firmware of a hard drive.
Hard drive firmware is one of the deepest levels of computer operation. The code runs and manages the hard drive itself, and is basic to the operation of virtually any computer.
Anti-virus company Kaspersky Lab said it had discovered the spyware in a new report.
Kaspersky says the implanted spyware is closely related to Stuxnet - a computer worm deployed by the NSA to disable Iran’s nuclear enrichment plants.
Former NSA operatives have told reporters for Reuters that the agency can indeed embed spyware in hard drives’ firmware, something long-prized by all surveillance groups.
Kaspersky’s Principal researcher Vitaly Kamluk says it is a new level of spying sophistication.
“Until now, we've never seen malware get to the micro-code, the microsystem running the hard drive itself,” Kamluk said.
To implant spyware on hard drives would require access to the device's source code, and perhaps product blueprints.
This is a level that “only manufacturers would have access to”, Kamluk said.
He said there were only a few ways the proprietary information for hard drives could be obtained.
“You might have to steal it,” he said.
Kaspersky Lab has code-named whoever is behind the spyware as “the Equation group”.
The analysts say the Equation group’s malware was designed for use on Windows 95 computers and can target computer running anything up to Windows 8. They have found evidence that Mac computers are similarly compromised.
It has found a majority of the targets of the spying to be groups in the telecoms, aerospace, energy, military and nuclear research sectors, as well as governments and financial institutions.
Kaspersky Lab believes the firmware spying is quite targeted, and counted about 500 victims, but “because of [the] self-destroying function of the malware, the number [of victims] could be much higher,” a spokesperson said.
Tom Keenan, a cybersecurity expert at the Canadian Defence and Foreign Affairs Institute, said the fundamental role of firmware made it a big target.
“There's no anti-virus program, no software that can protect you from someone who's going to attack your firmware because all those programs have to talk to the firmware, and the firmware is doing what it pleases,” Keenan said.
“You could even modify firmware on your computer so that every keystroke is captured and sent somewhere.”
“The value of getting in before everything else loads is you can influence what loads, how it loads, when it loads, and the value is much higher than if you waited until the operating system booted up,” said researcher Chris Parsons.
“So by the time you go to boot into Windows, it's already compromised, and this has been hidden for at least eight to 14 years.
“By now knowing the kinds of attacks possible, you can be certain that other actors will now try to emulate and copy what we’ve seen here.
“The risk of copycats is now much more likely,” he said.