NSA’s “Equation Group” and hard drive firmware modification and malware installation (GRAYFISH / EQUATIONDRUG)

According to Kaspersky:

“The Equation group is a highly sophisticated threat actor that has been
engaged in multiple CNE (computer network exploitation) operations dating
back to 2001, and perhaps as early as 1996. The Equation group uses multiple
malware platforms, some of which surpass the well-known “Regin” threat in
complexity and sophistication. The Equation group is probably one of the most
sophisticated cyber attack groups in the world; and they are the most advanced
threat actor we have seen.”

The Kaspersky engeneers think that “GRAYFISH” and “EQUATIONDRUG” are the most sophisticated and dangerous malware around, because they can modify the victim’s hard disk firmware.

“This is a file that shows the job postings for NSA interns, you can find a NSA wiki link in the last page. And this is very interesting:

(TS//SI//REL) Create a covert storage product that is enabled from a hard drive firmware modification. The ideia would be to modify the firmware of a particular hard drive so that it normally only recognizes half of its available space. It would report this size back to the operating system and not provide any way to access the additional space.”

“The whole point of this is that they (NSA) have worked out how to re-write the HDD firmware, which is usually just about impossible. Then it is read every time the disk is used, if they want. Your AV can’t see it, & it wouldn’t shock me if they had figured out a secondary way to send the data out.”

“The problem comes from the fact there’s a standardized API to write the firmware but no API to read it. This means we can’t easily check if a HDD has been compromised. Several suggested solutions from our side include: firmware signing and checking on the disk side, firmware write-protect switch on the HDD and the ability to read the firmware easily and check for alterations.”

SDN (Software Defined Networking)

Software Defined Networking (SDN) is a modern approach to a more flexible network layer implemntation, using flexible software defined rules to control routing, instead of using classical hard-coded rules in firmware.

According to its proponents:

SDN is a new approach to networking in which network control is decoupled from the data forwarding function and is directly programmable. The result is an extremely dynamic, manageable, cost-effective, and adaptable architecture that gives administrators unprecedented programmability, automation, and control. Implementing SDN via an open standard enables extraordinary agility while reducing service development and operational costs, and frees network administrators to integrate best-of-breed technology as it is developed.

Software-Defined Networking (SDN) is an emerging architecture that is dynamic, manageable, cost-effective, and adaptable.

OpenFlow as been proposed as a standard for SDN:

  • OpenFlow™ Standard – enables remote programming of the forwarding plane. The OpenFlow Standard is the first SDN standard and a vital element of an open software-defined network architecture.
  • OpenFlow-based SDN is currently being rolled out in a variety of networking devices and software, delivering substantial benefits to both enterprises and carriers, including:
    • Centralized management and control of networking devices from multiple vendors;
    • Improved automation and management by using common APIs to abstract the underlying networking details from the orchestration and provisioning systems and applications;
    • Rapid innovation through the ability to deliver new network capabilities and services without the need to configure individual devices or wait for vendor releases;
    • Programmability by operators, enterprises, independent software vendors,
      and users (not just equipment manufacturers) using common programming
      environments, which gives all parties new opportunities to drive revenue
      and differentiation;
    • Increased network reliability and security as a result of centralized and
      automated management of network devices, uniform policy enforcement,
      and fewer configuration errors;
    • More granular network control with the ability to apply comprehensive and
      wide-ranging policies at the session, user, device, and application levels; and
    • Better end-user experience as applications exploit centralized network
      state information to seamlessly adapt network behavior to user needs.

The SDN architecture is:

  • Directly programmable: Network control is directly programmable because it is decoupled from forwarding functions.
  • Agile: Abstracting control from forwarding lets administrators dynamically adjust network-wide traffic flow to meet changing needs.
  • Centrally managed: Network intelligence is (logically) centralized in software-based SDN controllers that maintain a global view of the network, which appears to applications and policy engines as a single, logical switch.
  • Programmatically configured: SDN lets network managers configure, manage, secure, and optimize network resources very quickly via dynamic, automated SDN programs, which they can write themselves because the programs do not depend on proprietary software.
  • Open standards-based and vendor-neutral: When implemented through open standards, SDN simplifies network design and operation because instructions are provided by SDN controllers instead of multiple, vendor-specific devices and protocols.


“Classical” networks limitations:

  • Complexity that leads to stasis: Adding or moving devices and implementing network-wide policies are complex, time-consuming, and primarily manual endeavors that risk service disruption, discouraging network changes.
  • Inability to scale: The time-honored approach of link oversubscription to provision scalability is not effective with the dynamic traffic patterns in virtualized networks—a problem that is even more pronounced in service provider networks with large-scale parallel processing algorithms and associated datasets across an entire computing pool.
  • Vendor dependence: Lengthy vendor equipment product cycles and a lack of standard, open interfaces limit the ability of network operators to tailor the network to their individual environments.

Virtualization impact over networking

“The static nature of networks is in stark contrast to the dynamic nature of today’s server environment, where server virtualization has greatly increased the number of hosts requiring network connectivity.

VMs migrate to optimize and rebalance server workloads causing the physical end points of existing flows to change (sometimes rapidly) over time.

VM migration challenges many aspects of traditional networking, from addressing schemes and namespaces to the basic notion of a segmented, routing-based design.”


“While existing networks can provide differentiated QoS levels for different applications, the provisioning of those resources is highly manual. IT must configure each vendor’s equipment separately, and adjust parameters such as network bandwidth and QoS on a per-session, per-application basis.

Because of its static nature, the network cannot dynamically adapt to
changing traffic, application, and user demands.”


“Some companies need so-called hyperscale networks that can provide high-performance, low-cost connectivity among hundreds of thousands—potentially millions—of physical servers. Such scaling cannot be done with manual configuration.”

Simpler network devices

SDN also greatly simplifies the network devices themselves, since they no longer need to understand and process thousands of protocol standards but merely accept instructions from the SDN controllers.

SDN architectures

SDN architectures support a set of APIs that make it possible to implement common network services,

  • routing,
  • multicast,
  • security,
  • access control,
  • bandwidth management,
  • traffic engineering,
  • quality of service,
  • processor and storage optimization,
  • energy usage, and
  • all forms of policy management, custom
    tailored to meet business objectives.

SDN makes the network

  • not so much “application-aware” as “application-customized” and
  • applications not so much “network-aware” as “network-capability-aware”.

As a result, computing, storage, and network resources can be optimized.

Inside OpenFlow

OpenFlow allows direct access to and manipulation of the forwarding plane of network devices such as switches and routers, both physical and virtual (hypervisor-based).

The protocol specifies basic primitives that can be used by an external software application to program the forwarding plane of network devices, just like the instruction set of a CPU would program a computer system.


OpenFlow uses the concept of flows to identify network traffic based on pre-defined match rules that can be statically or dynamically programmed by the SDN control software.

OpenFlow allows the network to be programmed on a per-flow basis:

  • provides extremely granular control, enabling the network to respond to
    real-time changes at the application, user, and session levels
  • Current IP-based routing does not provide this level of control, as all flows between two
    endpoints must follow the same path through the network, regardless of
    their different requirements.

Each flow-entry has a simple action associated with it; the three basic ones (that all dedicated OpenFlow switches
must support) are:

  • Forward this flow’s packets to a given port
  • Encapsulate and forward this flow’s packets to a controller
  • Drop this flow’s packets

An entry in the Flow-Table has three fields:

  • (1) A packet header that defines the flow,
  • (2) The action, which defines how the packets should be processed, and
  • (3) Statistics, which keep track of the number of packets and bytes for each flow, and the time since the last packet matched the flow (to help with the removal of inactive flows).

More Examples

  • Network Management and Access Control
    • manages the admittance and routing of flows.
    • allow network managers to define a network-wide policy in the central controller,
    • A controller checks a new flow against a set of rules, such as
      • “Guests can communicate using HTTP, but only via a web proxy”
      • “VoIP phones are not allowed to communicate with laptops.”
  • Mobile wireless VOIP clients
    • track the location of clients, re-routing connections — by reprogramming the Flow Tables —as users move through the network, allowing seamless handoff from one access point to another.
  • Processing packets rather than flows
    • intrusion detection system
    • converting packets from one protocol format to another