Top links

Tuesday, February 17, 2015

Kaspersky: NSA's Surveillance Backdoor embedded in Hard Disk Firmwares Targets Pakistan, Russia, China

Throughout the extended weekend, there had been rumors circulating around the blogosphere that a huge NSA hacking story—not originating via Edward Snowden—was about to break, and it was going to be a doozey. Sure enough, it’s all but “official,” per breaking news from Moscow-based Kaspersky Lab, one of the most highly-regarded cybersecurity firms in the world, via stories over the past few hours in Tuesday’s NY Times, Reuters and ARS Technica, among others, we’re now learning that America is the source of the greatest software exploitation (hacking) travesty ever reported.

As you’ll learn in the excerpted breaking stories, below, apparently, the NSA’s toolbox includes its ability to hack virtually every hard drive on the planet (even including those in “airgap” mode, unconnected to a network, via deviously-hidden code on data sticks); then, embed its code in the hard drive’s firmware, so securely and covertly that even a disk-wipe won’t erase the malware on the drive!

Let’s start off with the NY Times’ downplayed and propagandized version of the story (contrary to the NYT’s headline, a review of the Kaspersky Lab Report, available in full, below, indicates that, indeed, there were/are NSA-related hacks in the U.S. Ars Technica provides the most comprehensive and outstanding coverage of this story, which is linked and excerpted further down. Reuters, also linked and excerpted below, provides extremely convincing proof positive that this is a 14-plus-year-long story about the National Security Agency’s hacking efforts, which ARS Technica references as: “…the most advanced hacking operation ever uncovered…”)…

U.S. Embedded Spyware Overseas, Report Claims By NICOLE PERLROTH and DAVID E. SANGER
New York Times (Page B1)
February 17th, 2015
SAN FRANCISCO — The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm.
In a presentation of its findings at a conference in Mexico on Monday, Kaspersky Lab, the Russian firm, said that the implants had been placed by what it called the “Equation Group,” which appears to be a veiled reference to the National Security Agency and its military counterpart, United States Cyber Command.
It linked the techniques to those used in Stuxnet, the computer worm that disabled about 1,000 centrifuges in Iran’s nuclear enrichment program. It was later revealed that Stuxnet was part of a program code-named Olympic Games and run jointly by Israel and the United States.
Kaspersky’s report said that Olympic Games had similarities to a much broader effort to infect computers well beyond those in Iran. It detected particularly high infection rates in computers in Iran, Pakistan and Russia, three countries whose nuclear programs the United States routinely monitors…

Throughout the extended weekend, there had been rumors circulating around the blogosphere that a huge NSA hacking story—not originating via Edward Snowden—was about to break, and it was going to be a doozey. Sure enough, it’s all but “official,” per breaking news from Moscow-based Kaspersky Lab, one of the most highly-regarded cybersecurity firms in the world, via stories over the past few hours in Tuesday’s NY Times, Reuters and ARS Technica, among others, we’re now learning that America is the source of the greatest software exploitation (hacking) travesty ever reported.
As you’ll learn in the excerpted breaking stories, below, apparently, the NSA’s toolbox includes its ability to hack virtually every hard drive on the planet (even including those in “airgap” mode, unconnected to a network, via deviously-hidden code on data sticks); then, embed its code in the hard drive’s firmware, so securely and covertly that even a disk-wipe won’t erase the malware on the drive!
Let’s start off with the NY Times’ downplayed and propagandized version of the story (contrary to the NYT’s headline, a review of the Kaspersky Lab Report, available in full, below, indicates that, indeed, there were/are NSA-related hacks in the U.S. Ars Technica provides the most comprehensive and outstanding coverage of this story, which is linked and excerpted further down. Reuters, also linked and excerpted below, provides extremely convincing proof positive that this is a 14-plus-year-long story about the National Security Agency’s hacking efforts, which ARS Technica references as: “…the most advanced hacking operation ever uncovered…”)…

U.S. Embedded Spyware Overseas, Report Claims By NICOLE PERLROTH and DAVID E. SANGER
New York Times (Page B1)
February 17th, 2015
SAN FRANCISCO — The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm.
In a presentation of its findings at a conference in Mexico on Monday, Kaspersky Lab, the Russian firm, said that the implants had been placed by what it called the “Equation Group,” which appears to be a veiled reference to the National Security Agency and its military counterpart, United States Cyber Command.
It linked the techniques to those used in Stuxnet, the computer worm that disabled about 1,000 centrifuges in Iran’s nuclear enrichment program. It was later revealed that Stuxnet was part of a program code-named Olympic Games and run jointly by Israel and the United States.
Kaspersky’s report said that Olympic Games had similarities to a much broader effort to infect computers well beyond those in Iran. It detected particularly high infection rates in computers in Iran, Pakistan and Russia, three countries whose nuclear programs the United States routinely monitors…
The extensive NYT report continues on to note: “Some of the implants burrow so deep into the computer systems, Kaspersky said, that they infect the ‘firmware,’ the embedded software that preps the computer’s hardware before the operating system starts. It is beyond the reach of existing antivirus products and most security controls, Kaspersky reported, making it virtually impossible to wipe out.”
The report continues, “In many cases, it also allows the American intelligence agencies to grab the encryption keys off a machine, unnoticed, and unlock scrambled contents. Moreover, many of the tools are designed to run on computers that are disconnected from the Internet, which was the case in the computers controlling Iran’s nuclear enrichment plants.”
The report indicates that Kaspersky tracked  “more than 60 [Equation Group] attack groups…in cyberspace…”, and “…the so-called Equation Group “surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades…”

Equation Group victims map (Source: Kaspersky Lab)

The NSA’s Equation Group has hacked the products of the following seven hard drive manufacturers (there were actually more than that on the Kaspersky list, but the other manufacturers have merged with the companies on this short list); essentially, this list represents companies that produce almost all of the hard drives in the world:

Maxtor
Seagate
Western Digital
Samsung
Toshiba
Hitachi
Micron

Forensics software displays some of the hard drives Equation Group was able to commandeer using malicious firmware. (Source: Kaspersky Lab via Ars Technica)

Ars Technica’s coverage of this story is nothing short of superb! I strongly recommend it. Unfortunately, due to usage restraints, I’m only excerpting a small portion of it…

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last "Equation Group" ran the most advanced hacking operation
ever uncovered.

by Dan Goodin -
Ars Technica
Feb 16, 2015 11:00am PST
CANCUN, Mexico — In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn't know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail.
It wasn't the first time the operators—dubbed the "Equation Group" by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination…
Ars Technica lists the six pieces of Equation Group malware discovered by Kaspersky (from the Kaspersky Lab report; see full report, farther down)…
EquationLaser: an early implant in use from 2001 to 2004. DoubleFantasy: a validator-style trojan designed to confirm if the infected person is an intended target. People who are confirmed get upgraded to either EquationDrug or GrayFish.
EquationDrug: also known as Equestre, this is a complex attack platform that supports 35 different modules and 18 drivers. It is one of two Equation Group malware platforms to re-flash hard drive firmware and use virtual file systems to conceal malicious files and stolen data.
GrayFish: the successor to EquationDrug and the most sophisticated of all the Equation Group attack platforms. It resides completely in the registry and relies on a bootkit to take hold each time a computer starts. Whereas EquationDrug re-flashed hard drives for six models, GrayFish re-flashed 12 classes of hard drives. GrayFish exploits a vulnerability in the CloneCD driver ElbyCDIO.sys—and possibly drivers of other programs—to bypass Windows code-signing requirements.
Fanny: A computer worm that exploited what in 2008 were two zero-day vulnerabilities in Windows to self-replicate each time an infected USB stick was inserted into a targeted computer. The main purpose of Fanny was to conduct reconnaissance on sensitive air-gapped networks. After infecting a computer not connected to the Internet, Fanny collected network information and saved it to a hidden area of the USB drive. If the stick was later plugged in to an Internet-computer, it would upload the data to attacker servers and download any attacker commands. If the stick was later plugged into the air-gapped machine, the downloaded commands would be executed. This process would continue each time the stick was switched between air-gapped and Internet-connected machines.
TripleFantasy: A full-featured backdoor sometimes used in tandem with GrayFish.
More from Ars Technica...
Hacking without a budget The money and time required to develop the Equation Group malware, the technological breakthroughs the operation accomplished, and the interdictions performed against targets leave little doubt that the operation was sponsored by a nation-state with nearly unlimited resources to dedicate to the project. The countries that were and weren't targeted, the ties to Stuxnet and Flame, and the Grok artifact found inside the Equation Group keylogger strongly support the theory the NSA or a related US agency is the responsible party, but so far Kaspersky has declined to name a culprit.
Update: Reuters reporter Joseph Menn said the hard-drive firmware capability has been confirmed by two former government employees. He wrote:
…A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it…
Update: Several hours after this post went live, NSA officials e-mailed the following statement to Ars:
We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details. On January 17, 2014, the President gave a detailed address about our signals intelligence activities, and he also issued Presidential Policy Directive 28 (PPD-28). As we have affirmed publicly many times, we continue to abide by the commitments made in the President’s speech and PPD-28. The U.S. Government calls on our intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats - including terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against ourselves and our allies; and international criminal organizations.
What is safe to say is that the unearthing of the Equation Group is a seminal finding in the fields of computer and national security, as important, or possibly more so, than the revelations about Stuxnet. "The discovery of the Equation Group is significant because this omnipotent cyber espionage entity managed to stay under the radar for almost 15 years, if not more," Raiu said.  [Diarist’s Note: Reference is to Costin Raiu, director of Kaspersky Lab's global research and analysis team.] "Their incredible skills and high tech abilities, such as infecting hard drive firmware on a dozen different brands, are unique across all the actors we have seen and second to none. As we discover more and more advanced threat actors, we understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown."

And, last but not least, Reuters

Russian researchers expose breakthrough
U.S. spying program

By Joseph Menn
Reuters (SAN FRANCISCO)
Mon Feb 16, 2015 5:10pm EST
(Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.
That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.
Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)
The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.
A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it…
Here’s the entire Kaspersky Lab report: “Equation Group Questions and Answers


(dailykos.com)
Pakistan Cyber Force

No comments:

Post a Comment