Kaspersky Reveals Hardware Based Stealth Spyware Used By Intelligence Agencies

Cyber espionage is not a new game but it has become more apparent and visible these days. World over intelligence agencies have been using various techniques and methods to infiltrate and track users of their interest. These methods include hardware and software based spyware. The National Security Agency (NSA) of United States has even used radio waves to do e-surveillance.

As per the Cyber Security Trends in India 2015 by Perry4Law Organisation (P4LO), Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), Carbanak, etc would further increase in the year 2015. These are sophisticated and customised malware that remained in operation for decades without being tracked by the victims.

Traditional hardware and software based security mechanisms have failed to protect crucial assets and sensitive information of various organisations and nations. An out of the box solution is need of the hour to tackle present day malware. For instance, the Moscow-based security software maker Kaspersky Lab has recently discovered hidden spyware in hard drives of computers. Kaspersky called the authors of the spying program “the Equation group,” named after their embrace of complex encryption formulas. More details can be found at the documents titled Equation Group- Questions and Answers (PDF) released by Kaspersky.

These hard drives are manufactured by Western Digital, Seagate, Toshiba and other top manufacturers, thereby making their use a potential cyber hazard. Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

Although Kaspersky has not publicly named the country or organisation behind this spyware yet it has claimed that the work is attributed to the same people who are behind Stuxnet malware. Some claim that Stuxnet is a product of National Security Agency (NSA) of U.S. This view has been affirmed by a former NSA employee who told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it. NSA spokeswoman Vanee Vines declined to comment.

Kaspersky believes that this sort of cyber espionage is possible only if a person or organisation has access to source code of the hardware known as firmware. Once the access is there, the source code can be manipulated the way it has been alleged to be done by NSA. The spyware is activated the moment a computer with infected hard drive is switched on. Since the spyware/malware is booting from the firmware, antivirus and ant malware products cannot detect the same and the malware keep on working stealthily.

A firmware infection is the second most sought after method by crackers and cyber criminals to infect and compromise a system. Obviously, BIOS infection through rootkit is the favourite methods of such cyber criminals. No matter how many times a user disinfects his computer, the hardware/BIOS based malware would keep on infecting it again and again. This is so even if a user reinstalls the operating system as the infection is not at the OS level but at the root level itself.

Kaspersky has informed that the owner of this still-active malware could have taken complete control of the systems that were using the infected hard drives but they preferred to target selective few of high interest. According to Kaspersky, the malware owner also used other methods of cyber espionage and cyber spying like compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny. There seems to be collaboration between the authors of Fanny and Stuxnet as both exploit two of the same undisclosed software flaws, known as zero days. Kaspersky believes that it is quite possible that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

This entry was posted in Uncategorized. Bookmark the permalink.