Researchers with Kaspersky Lab describe what they say is “the most advanced threat actor” they’ve seen to date.
Researchers with the Moscow-based Kaspersky Lab introduced their findings while presenting at the Kaspersky Security Analyst Summit in Cancun, Mexico, and also published an initial paper (pdf) Monday on what they consider “the most advanced threat actor” they’ve seen to date. Dubbed the Equation Group, the suite of surveillance platforms has been found in hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, and located in personal computers in 30 countries, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria, Kaspersky said. The targets reportedly included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists.
Although the firm did not publicly name the source behind the spying campaign, they said the Equation Group “worm” was closely linked to Stuxnet, the cyberweapon the U.S. used to attack Iran’s uranium enrichment facility beginning in late 2007.
The New York Times reports that, in many cases, the powerful software is able to “grab the encryption keys off a machine, unnoticed, and unlock scrambled contents. Moreover, many of the tools are designed to run on computers that are disconnected from the Internet, which was the case in the computers controlling Iran’s nuclear enrichment plants.”
The fact that security software made by Kaspersky Lab is not used by many American government agencies has made it more trusted by other governments, like those of Iran and Russia, whose systems are closely watched by United States intelligence agencies. That gives Kaspersky a front-row seat to America’s digital espionage operations.
Further, a former NSA employee told Reuters that the U.S. spy agency “still valued these spying programs as highly as Stuxnet.” Another former intelligence operative reportedly confirmed to Reuters that the NSA “had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.”
After being given an advance look at the Kaspersky findings, WIRED reported on the capabilities of the newly uncovered surveillance software:
The new platforms, which appear to have been developed in succession with each one surpassing the previous in sophistication, can give the attackers complete and persistent control of infected systems for years, allowing them to siphon data and monitor activities while using complex encryption schemes and other sophisticated methods to avoid detection. The platforms also include an innovative module, the likes of which Kaspersky has never seen before, that re-flashes or reprograms a hard drive’s firmware with malicious code to turn the computer into a slave of the attackers.
News that the U.S. spy agency had manually implanted personal computers with surveillance technology was also revealed in documents leaked by NSA whistle blower Edward Snowden
Reporting on the Kaspersky presentation, Reuters notes, “Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets.”
In an interview, lead Kaspersky researcher Costin Raiu explained that the authors of the spying programs “must have had access to the proprietary source code that directs the actions of the hard drives.”
Though hard drive manufacturers denied sharing such information with the government, former intelligence operatives confirmed to Reuters that “the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer.”
“They don’t admit it, but they do say, ‘We’re going to do an evaluation, we need the source code,’” said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. “It’s usually the NSA doing the evaluation, and it’s a pretty small leap to say they’re going to keep that source code.”
In the days to come, Kaspersky says it will be releasing further information on its discovery.
“As we uncover more of these cyber espionage operations we realize how little we understand about the true capabilities of these threat actors,” Raiu told WIRED.