Security researchers at Kaspersky Lab have unearthed a suite of surveillance platforms that can hide within the firmware of hard drives from more than a dozen manufacturers. The attackers, which Kaspersky is calling the Equation Group due to their complex skill set, are the most advanced that the researchers have encountered to date.
The programs, some of which date back to 2001, appear to have been developed in succession with each new program being more sophisticated than the last. Personal computers in more than 30 different countries have been discovered to carry the infection.
One of the worms uncovered has direct connections with Stuxnet and may have even been used as a test to help figure out the best route for the malware to reach systems involved in Iran’s nuclear program. Researchers didn’t name who they believe might be behind the attacks although there’s a good bit of circumstantial evidence that points to the NSA.
One component of the suite, GrayFish, is able to re-flash the firmware on hard drives. Because it resides in the firmware, reformatting the drive doesn’t get rid of the infection. Key to being able to rewrite the firmware is having access to source code. If the NSA is indeed behind the attacks, getting source code wouldn’t present too much of an issue.
In addition to physically intercepting shipments (in this case, hard drives) and loading them with malware before repackaging and sending to targets, the NSA could have simply asked manufacturers for their source code (directly or indirectly) or posed as software developers.