NSA Strongly Suspected In 'Equation Group' Hacks On Russian, Iranian Hard Drives

Posted: March 12, 2015 at 7:49 pm

The U.S. National Security Agency may have been planting surveillance software into hard drives and other essential computer equipment sold around the world for more than a decade through a shadowy organization known as the Equation Group, a respected cybersecurity researcher says. The revelation, if true, indicates that operators within the NSA have been collecting far more information on the spy agencys behalf than previously thought.

The Equation Group manipulated hard drives manufactured by Toshiba, Seagate, IBM, Western Digital and others dating back as far as 2001, researchers at the Moscow-based cybersecurity firm Kaspersky Lab said Wednesday. Equation has also proven able to reprogram a machines firmware, meaning that hackers were able to monitor even the most mundane activity on tens of thousands of individual PCs without their owners knowledge.

Privacy experts say the disclosures highlight the need for international companies to do more to protect customers from evolving threats to their online security.

Existence of the Equation Group, believed to be made up of 60 or so actors, was first revealed at Kasperskys annual security summit in Mexico on Feb. 16. Kaspersky on Wednesday released further information that strongly links the organization to the NSA.

The dense technical language in the Kaspersky report essentially argues that spies were able to install malicious software into computer hard drives that activate again and again each time the computer powers on.

Researchers found source code that makes reference to STRAITACID, STRAITSHOOTER, and BACKSNARF_AB25. Those names bear a remarkable resemblance to BACKSNARF and STRAITBIZARRE, two malware campaigns used by NSAs Tailored Access Operations team and first revealed by former NSA contractor Edward Snowden.

Costin Raiu, Kasperskys lead researcher on the project, told Reuters that while the Equation Group was able to steal files on any of the infected computers, they assumed full control only of computers used by high-value targets. Disk drive firmware, which was infected in this hack, is the second-most valuable space on a computer for hackers (after a microprocessors input/output system), the news outlet reported.

The Equation Group appears to rely on the programs EquationDrug and GrayFish for its espionage operations.

Its important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules of selected victims, stated a version of the report updated Wednesday. The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via custom message passing interface.

Again, Kaspersky did not officially pin the Equation Group on the NSA, but pointed out links that are hard to dismiss as coincidence.

More here:
NSA Strongly Suspected In 'Equation Group' Hacks On Russian, Iranian Hard Drives

Related Posts