The US National Security Agency (NSA) has been hiding spyware within the firmware of hard-disk drives made by Seagate, Samsung, Toshiba, and Western Digital - and other major manufacturers - in a spy programme that has been running for almost 20 years, according to security software company Kaspersky.

Kaspersky claims to have found the spyware lurking in the firmware of PC hard-disk drives in as many as 30 countries worldwide, with Iran the most affected country. PCs in Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria were also affected. The targets included government and military institutions, telecoms companies, banks, energy companies, nuclear researchers, media, and Islamic activists.

Kaspersky claims that the attacks - which it has dubbed "the Equation group" - may date back to as long ago as 1996 - but were certainly being conducted from 2001. "The Equation group uses multiple malware platforms, some of which surpass the well-known 'Regin' threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen," claims the report from Kaspersky.

It continues: "In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and Advanced Encryption Standard (AES) too, in addition to other cryptographic functions and hashes.

"One technique in particular caught our attention and reminded us of another complex malware, Gauss. The GrayFish loader uses SHA-256 one thousand times over the unique NTFS object ID of the victim's Windows folder to decrypt the next stage from the registry. This uniquely ties the infection to the specific machine, and means the payload cannot be decrypted without knowing the NTFS object ID," explains the report.

The company claims to have identified several malware platforms within the Equation group. These include:

A victim doesn't immediately get infected with EquationDrug, claims Kaspersky. First, the attackers infect them with DoubleFantasy, which is a validator-style plug-in. If the victim is confirmed as interesting to the attackers, the EquationDrug installer is delivered.

"GrayFish is the most modern and sophisticated malware implant from the Equation group. It is designed to provide an effective (almost "invisible") persistence mechanism, hidden storage and malicious command execution inside the Windows operating system," claims Kaspersky.

It continues: "By all indications, GrayFish was developed between 2008 and 2013 and is compatible with all modern versions of Microsoft's operating systems, including Windows NT 4.0, Windows 2000, Windows XP, Windows Vista, Windows 7 and 8 - both 32-bit and 64-bit versions.

"To store stolen information, as well as its own auxiliary information, GrayFish implements its own encrypted Virtual File System (VFS) inside the Windows registry. To bypass modern OS security mechanisms that block the execution of untrusted code in kernel mode, GrayFish exploits several legitimate drivers, including one from the CloneCD program. This driver (ElbyCDIO.sys) contains a vulnerability which GrayFish exploits to achieve kernel-level code execution. Despite the fact that the vulnerability was discovered in 2009, the digital signature has not yet been revoked," claims the report.

Read more here:

NSA burying spyware within firmware of disk drives made by Seagate, Western Digital and other major manufacturers