Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

There's no way of knowing if the NSA's spyware is on your hard drive

Lucas Mearian | Feb. 23, 2015
'Equation group' spyware likely only targeted specific hard drives and SSDs.

Hard drive maker WD said that prior to the release of Kaspersky's report, it had no knowledge of the NSA cyberespionage program.

"We take such threats very seriously. The integrity of our products and the security of our customers' data are of paramount importance to us," a WD spokesman wrote in an email reply to Computerworld.

The WD spokesman said the company has not participated in or supported the development or deployment of cyberespionage technology by government entities, adding that "Western Digital has not provided its source code to government agencies."

"We are in the process of reviewing the report from Kaspersky Labs and the technical data set forth within the report," the spokesman said.

Seagate, the largest producers of hard disk drives, did not respond to a request for a comment on the malware or how its drives were infected.

Perhaps the most powerful tool in the Equation group's arsenal, Kaspersky's report states, is a mysterious module known only by a cryptic name: "nls_933w.dll."

The worm allows the Equation group to reprogram the hard drive's firmware.

"This is an astonishing technical accomplishment and is testament to the group's abilities," Kaspersky's report stated.

Kaspersky's report said the company found personal computers in 30 countries  infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.  The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media and Islamic activists, Kaspersky said.

"During our research, we've only identified a few victims who were targeted by this module," Soumenkov said. "This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances."

The spyware module itself is used only to deliver the customized firmware to the victim's hard drive, and someone deploying it would need to know special commands that will let a user communicate with a particular HDD hardware, which is vendor specific, Soumenkov said.

Soumenkov said the most complex and expensive process in deploying the malicious worm is reprogramming an HDD's firmware. To do that, someone would need to first obtain the source code of all the major vendors' firmware, which would require having access to the fully proprietary information and internal documentation kept by drive manufacturers.

Either that, "or to have abnormal skills to reverse engineer the firmware's code," Soumenkov said. "And they did it for more than 12 HDD brands!"


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.