‘Breakthrough’ NSA spyware shows deep grasp of makers’ hard drives
‘All-powerful’ spyware on hard drives an unprecedented technique, experts say
What seems to be a U.S.-run computer espionage program has reportedly figured out how to employ a “breakthrough” snooping tactic — the implanting of spyware into hard drives — that could compromise most of the world’s computers.
As a matter of policy, Kaspersky Lab, which publicized the discovery in a report on Monday, withheld the name of the country it suspects of being behind the operation.
But the Moscow-based anti-virus company said the country behind the implanted spyware was closely linked to Stuxnet, the computer worm deployed by the U.S. National Security Agency to disable Iran’s nuclear-enrichment capabilities.
The Kaspersky Lab report code-named the perpetrator of the spyware “the Equation group,” and said researchers have observed compromised hard drives in more than 30 countries, including Iran, Russia, Syria, Afghanistan, the U.S. and the U.K.
By its estimation, Kaspersky Lab says the program causes about 2,000 infections per month, with targets belonging to the telecom, aerospace, energy, military and nuclear research sectors, as well as governments and financial institutions, among others.
For those in cybersecurity, the possibility of exploiting firmware on disk drives is a big deal because it would affect almost the entire computer market.
‘By the time you go to boot into Windows, it’s already compromised, and this has been hidden for at least eight to 14 years’– Chris Parsons, University of Toronto’s Citizen Lab
Kaspersky’s analysis suggests the spyware could work on popular hard drives manufactured by Western Digital, Seagate Technology, Toshiba, IBM, Micron Technology and Samsung.
“The value of getting in before everything else loads is you can influence what loads, how it loads, when it loads, and the value is much higher than if you waited until the operating system booted up,” Parsons said.
That’s because most anti-virus programs tend to be designed to take action following the loading of firmware. This particular program, however, would be “masked” in the firmware.