The Equation Group’s ability to reprogram hard-drive firmware leaves corporate security pros unable to trust the devices because they can’t tell whether disks have been compromised or not.
“Once the hard drive gets infected with this malicious payload, it’s impossible to scan its firmware,” says Igor Soumenkov, principal security researcher at Kaspersky Lab. “To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.”
Beyond that, the tampering Equation Group does with the firmware can survive reformatting the disk and reinstalling the operating system, giving it “extreme persistence,” and providing invisible, persistent storage inside the hard drive, according to the Kaspersky report on the Equation Group.
Kaspersky came to know of the capability when it discovered two firmware-reprogramming modules within larger malware platforms written by Equation Group that are called EQUATIONDRUG and GRAYFISH. In addition to reprogramming, the modules enable an API that gives access to a hidden sector of the hard drive sets up by the malware.
By taking over the firmware, the attackers can insert further malware into the operating system itself, creating a range of exploits that can be customized for individual machines, says Ben Johnson, chief evangelist at Bit9+Carbon Black.
“Because the malware is designed to be modular and is made for the target’s specific environment, it is harder to predict,” says Johnson. “Combine this with a persistence focus, and it means once the attacker is in, it is hard to kick them out. It’s hard to trust a machine when you ask it if a particular process is running and it essentially lies to you because it has been compromised and manipulated.”
Kaspersky says it has found drives made by Seagate and Western Digital that have been compromised. When asked what it recommends customers do about the threat, Western Digital sent an email response that says, in part, “We are in the process of reviewing the report from Kaspersky Labs and the technical data set forth within the report,” but doesn’t offer any suggestions. “Prior to the report, we had no knowledge of the described cyber-espionage program.” Seagate didn’t respond.
So far, the use of this capability by Equation Group has been very limited, the Kaspersky report says. “This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances,” it says.
The problem could become more severe if other malicious actors reverse engineer the ability to infect hard-drive firmware, says Greg Young, a research vice president at Gartner. If a separate bad actor takes control of already distributed malware or a toolkit to make the attack available to others, then the likelihood of its being used increases, he says, “however this is the case with any new attack.”
Kaspersky found a low infection rate in the U.S., where Equation Group targeted mainly Islamic scholars and some others that Kaspersky couldn’t classify. Reuters says it has confirmed through former NSA employees that the agency is behind the group.
Conventional good security practices are the best way to deal with this threat, says Young. “In the larger picture, most enterprises reading this already have many, many unpatched vulnerabilities that they need to shield or patch before worrying about any attacks related to Equation,” he says. “The clear exception are those organizations in or doing much business with countries of interest to Equation.”
Those with high infection rates include Iran, Russia, Pakistan, Afghanistan, India, China, Syria and Mali.
“Sure, the ability to leverage some of these techniques covertly, consistently, and at scale is a big challenge,” says Johnson, “however, the fact that zero-days exist or that code can be encrypted or that firm-ware can be overwritten is absolutely not new or shocking.”
Corporate security pros need to accept that with enough effort and know-how, motivated attackers will succeed in breaching networks, so they need to develop plans for quickly discovering, blocking and wiping out malware activity, he says.
“And finally, never be satisfied,” Johnson says. “Once you think you’re entirely clean, keep looking — assume that something is still there hiding.”