Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Has Equation Group hacked your hard drives? You won't be able to tell.

Tim Greene | Feb. 23, 2015
Infection can survive formatting and reinstalling the operating system.

The Equation Group's ability to reprogram hard-drive firmware leaves corporate security pros unable to trust the devices because they can't tell whether disks have been compromised or not.

"Once the hard drive gets infected with this malicious payload, it's impossible to scan its firmware," says Igor Soumenkov, principal security researcher at Kaspersky Lab. "To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware."

Beyond that, the tampering Equation Group does with the firmware can survive reformatting the disk and reinstalling the operating system, giving it "extreme persistence," and providing invisible, persistent storage inside the hard drive, according to the Kaspersky report on the Equation Group.

Kaspersky came to know of the capability when it discovered two firmware-reprogramming modules within larger malware platforms written by Equation Group that are called EQUATIONDRUG and GRAYFISH. In addition to reprogramming, the modules enable an API that gives access to a hidden sector of the hard drive sets up by the malware.

By taking over the firmware, the attackers can insert further malware into the operating system itself, creating a range of exploits that can be customized for individual machines, says Ben Johnson, chief evangelist at Bit9+Carbon Black.

"Because the malware is designed to be modular and is made for the target's specific environment, it is harder to predict," says Johnson. "Combine this with a persistence focus, and it means once the attacker is in, it is hard to kick them out. It's hard to trust a machine when you ask it if a particular process is running and it essentially lies to you because it has been compromised and manipulated."

Kaspersky says it has found drives made by Seagate and Western Digital that have been compromised. When asked what it recommends customers do about the threat, Western Digital sent an email response that says, in part, "We are in the process of reviewing the report from Kaspersky Labs and the technical data set forth within the report," but doesn't offer any suggestions. "Prior to the report, we had no knowledge of the described cyber-espionage program." Seagate didn't respond.

So far, the use of this capability by Equation Group has been very limited, the Kaspersky report says. "This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances," it says.

The problem could become more severe if other malicious actors reverse engineer the ability to infect hard-drive firmware, says Greg Young, a research vice president at Gartner. If a separate bad actor takes control of already distributed malware or a toolkit to make the attack available to others, then the likelihood of its being used increases, he says, "however this is the case with any new attack."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.