NSA’s “Equation Group” and hard drive firmware modification and malware installation (GRAYFISH / EQUATIONDRUG)

According to Kaspersky:

“The Equation group is a highly sophisticated threat actor that has been
engaged in multiple CNE (computer network exploitation) operations dating
back to 2001, and perhaps as early as 1996. The Equation group uses multiple
malware platforms, some of which surpass the well-known “Regin” threat in
complexity and sophistication. The Equation group is probably one of the most
sophisticated cyber attack groups in the world; and they are the most advanced
threat actor we have seen.”

The Kaspersky engeneers think that “GRAYFISH” and “EQUATIONDRUG” are the most sophisticated and dangerous malware around, because they can modify the victim’s hard disk firmware.

“This is a file that shows the job postings for NSA interns, you can find a NSA wiki link in the last page. And this is very interesting:

(TS//SI//REL) Create a covert storage product that is enabled from a hard drive firmware modification. The ideia would be to modify the firmware of a particular hard drive so that it normally only recognizes half of its available space. It would report this size back to the operating system and not provide any way to access the additional space.”

“The whole point of this is that they (NSA) have worked out how to re-write the HDD firmware, which is usually just about impossible. Then it is read every time the disk is used, if they want. Your AV can’t see it, & it wouldn’t shock me if they had figured out a secondary way to send the data out.”

“The problem comes from the fact there’s a standardized API to write the firmware but no API to read it. This means we can’t easily check if a HDD has been compromised. Several suggested solutions from our side include: firmware signing and checking on the disk side, firmware write-protect switch on the HDD and the ability to read the firmware easily and check for alterations.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s