The Equation group has many codenames for their tools and implants, Kaspersky said. But perhaps the most powerful tool in the Equation group's arsenal is a mysterious module that allows them to reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM.
Obviously, disk drive firmware is the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up. As you realize, the hardware would infect the computer over and over, and the malware's persistence helps to survive disk formatting and OS reinstallation.
In addition, the malware was able to create an invisible, persistent area hidden inside the hard drive. It was used to save exfiltrated information which can be later retrieved by the attackers, according to Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.
In order to create such a sophisticated spying sofwtare, authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.
Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment.
Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.
NSA has declined to comment.
The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.
Presumably compiled in July 2008, Fanny was first observed in December 2008. Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet. To spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which was also used in one of the early versions of Stuxnet from 2009.
The main purpose of the Fanny worm was to map air-gapped networks, in other words – to understand the topology of a network that cannot be reached, and to execute commands to those isolated systems. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.