A cyberespionage group with a toolset similar to ones used by U.S.
intelligence agencies has infiltrated key institutions in countries
including Iran and Russia.
Kaspersky Lab released a report
Monday that said the tools were created by the “Equation” group, which
it stopped short of linking to the U.S. National Security Agency.
The
tools, exploits and malware used by the group—named after its penchant
for encryption—have strong similarities with NSA techniques described in
top-secret documents leaked in 2013.
Countries hit the most by
Equation include Iran, Russia, Pakistan, Afghanistan, India and China.
Targets in those countries included the military, telecommunications,
embassies, government, research institutions and Islamic scholars,
Kaspersky said.
Kaspersky’s most striking finding is Equation’s
ability to infect the firmware of a hard drive, or the low-level code
that acts as an interface between hardware and software.
The
malware reprograms the hard drive’s firmware, creating hidden sectors on
the drive that can only be accessed through a secret API (application
programming interface). Once installed, the malware is impossible to
remove: disk formatting and reinstalling the OS doesn’t affect it, and
the hidden storage sector remains.
“Theoretically, we were aware
of this possibility, but as far as I know this is the only case ever
that we have seen of an attacker having such an incredibly advanced
capability,” said Costin Raiu, director of Kaspersky Lab’s global
research and analysis team, in a phone interview Monday.
Drives
made by Seagate Technology, Western Digital Technologies, Hitachi,
Samsung Electronics and Toshiba can be modified by two of Equation’s
hard disk drive malware platforms, “Equationdrug” and “Grayfish.”
The report said Equation has knowledge of the drives that goes way beyond public documentation released by vendors.
Equation
knows sets of unique ATA commands used by hard drive vendors to format
their products. Most ATA commands are public, as they comprise a
standard that ensures a hard drive is compatible with just about any
kind of computer.
But there are undocumented ATA commands used by
vendors for functions such as internal storage and error correction,
Raiu said. “In essence, they are a closed operating system,” he said.
Obtaining such specific ATA codes would likely require access to that documentation, which could cost a lot of money, Raiu said.
The
ability to reprogram the firmware of just one kind of drive would be
“incredibly complex,” Raiu. Being able to do that for many kinds of
drives from many brands is “close to impossible,” he said.
“To be honest, I don’t think there’s any other group in the world that has this capability,” Raiu said.
It
appears Equation has been far, far ahead of the security industry. It’s
almost impossible to detect this kind of tampering, Raiu said.
Reflashing the drive, or replacing its firmware, is also not foolproof,
since some types of modules in some types of firmware are persistent and
can’t be reformatted, he said.
Given the high value of this exploitation technique, Equation very selectively deployed it.
“During
our research, we’ve only identified a few victims who were targeted by
this,” Kaspersky’s report said. “This indicates that it is probably only
kept for the most valuable victims or for some very unusual
circumstances.”
Another of Kaspersky’s intriguing findings is
Fanny, a computer worm created in 2008 that was used against targets in
the Middle East and Asia.
To infect computers, Fanny used two
zero-day exploits—the term for a software attack that uses an unknown
software vulnerability—that were also coded into Stuxnet, Kaspersky
said. Stuxnet, also a Windows worm, was used to sabotage Iran’s uranium
enrichment operations. It is thought to be a joint project between the
U.S. and Israel.
It’s unlikely the use of the same zero-days was a
coincidence. Kaspersky wrote that the similar use of the
vulnerabilities means that the Equation group and the Stuxnet developers
are “either the same or working closely together.”
“They are definitely connected,” Raiu said.
Both Stuxnet and Fanny were designed to penetrate “air-gapped” networks, or those isolated from the Internet, Kaspersky said.
The
Equation group also used “interdiction” techniques similar to those
used by the NSA in order to deliver malicious software to targets.
Kaspersky
described how some participants of a scientific conference held in
Houston later received a CD-ROM of materials. The CD contained two
zero-day exploits and a rarely-seen malware doorstop nicknamed
“Doublefantasy.”
It is unknown how the CDs were tampered with or
replaced. “We do not believe the conference organizers did this on
purpose,” Kaspersky said. But such a combination of exploits and malware
“don’t end up on a CD by accident,” it said.
The NSA’s Office of
Tailored Access Operations (TAO) specializes in intercepting deliveries
of new computer equipment, one of the most successful methods of tapping
into computers, wrote Der Spiegel in December 2013, citing a top secret document.
The
German publication was one of several that had access to tens of
thousands of spy agency documents leaked by former NSA contractor Edward
Snowden.
Kaspersky uncovered the trail of the Equation group
after investigating a computer belonging to a research institute in the
Middle East that appeared to be the Typhoid Mary for advanced malware.
Raiu
said the machine had French, Russian and Spanish APT (advanced
persistent threat) samples on it among others, showing it had been
targeted by many groups. It also had a strange malicious driver, Raiu
said, which upon investigation lead to the extensive command-and-control
infrastructure used by Equation.
Kaspersky analysts found more
than 300 domains connected with Equation, with the oldest one registered
in 1996. Some of the domain name registrations were due to expire, so
Kaspersky registered around 20 of them, Raiu said.
Most of the
domain names aren’t used by Equation anymore, he said. But three are
still active. The activity, however, doesn’t lend much of a clue as to
what Equation is up to these days, as the group changed its tactics in
late 2013.
“Those three [domains] are very interesting,” Raiu said. “We just don’t know what malware is being used.”
No comments:
Post a Comment