Has Equation Group hacked your hard drives? You won't be able to tell.

The Equation Group's ability to reprogram hard-drive firmware leaves corporate security pros unable to trust the devices because they can't tell whether disks have been compromised or not.

The Equation Group's ability to reprogram hard-drive firmware leaves corporate security pros unable to trust the devices because they can't tell whether disks have been compromised or not.

"Once the hard drive gets infected with this malicious payload, it's impossible to scan its firmware," says Igor Soumenkov, principal security researcher at Kaspersky Lab. "To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware."

Beyond that, the tampering Equation Group does with the firmware can survive reformatting the disk and reinstalling the operating system, giving it "extreme persistence," and providing invisible, persistent storage inside the hard drive, according to the Kaspersky report on the Equation Group.

Kaspersky came to know of the capability when it discovered two firmware-reprogramming modules within larger malware platforms written by Equation Group that are called EQUATIONDRUG and GRAYFISH. In addition to reprogramming, the modules enable an API that gives access to a hidden sector of the hard drive sets up by the malware.

By taking over the firmware, the attackers can insert further malware into the operating system itself, creating a range of exploits that can be customized for individual machines, says Ben Johnson, chief evangelist at Bit9+Carbon Black.

"Because the malware is designed to be modular and is made for the target's specific environment, it is harder to predict," says Johnson. "Combine this with a persistence focus, and it means once the attacker is in, it is hard to kick them out. It's hard to trust a machine when you ask it if a particular process is running and it essentially lies to you because it has been compromised and manipulated."

Kaspersky says it has found drives made by Seagate and Western Digital that have been compromised. When asked what it recommends customers do about the threat, Western Digital sent an email response that says, in part, "We are in the process of reviewing the report from Kaspersky Labs and the technical data set forth within the report," but doesn't offer any suggestions. "Prior to the report, we had no knowledge of the described cyber-espionage program." Seagate didn't respond.

So far, the use of this capability by Equation Group has been very limited, the Kaspersky report says. "This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances," it says.

The problem could become more severe if other malicious actors reverse engineer the ability to infect hard-drive firmware, says Greg Young, a research vice president at Gartner. If a separate bad actor takes control of already distributed malware or a toolkit to make the attack available to others, then the likelihood of its being used increases, he says, "however this is the case with any new attack."

Kaspersky found a low infection rate in the U.S., where Equation Group targeted mainly Islamic scholars and some others that Kaspersky couldn't classify. Reuters says it has confirmed through former NSA employees that the agency is behind the group.

Conventional good security practices are the best way to deal with this threat, says Young. "In the larger picture, most enterprises reading this already have many, many unpatched vulnerabilities that they need to shield or patch before worrying about any attacks related to Equation," he says. "The clear exception are those organizations in or doing much business with countries of interest to Equation."

Those with high infection rates include Iran, Russia, Pakistan, Afghanistan, India, China, Syria and Mali.

"Sure, the ability to leverage some of these techniques covertly, consistently, and at scale is a big challenge," says Johnson, "however, the fact that zero-days exist or that code can be encrypted or that firm-ware can be overwritten is absolutely not new or shocking."

Corporate security pros need to accept that with enough effort and know-how, motivated attackers will succeed in breaching networks, so they need to develop plans for quickly discovering, blocking and wiping out malware activity, he says.

"And finally, never be satisfied," Johnson says. "Once you think you're entirely clean, keep looking -- assume that something is still there hiding."

Join the CSO newsletter!

Error: Please check your email address.

Tags iscosecuritynsaadvanced persistent threatskaspersky lab

More about GartnerKasperskyNSASeagateWestern Digital

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place