I got an email from an acquaintance the other night with a single question: “Is this true?” and it contained a link to an article on Yahoo about the NSA hiding spyware in hard drives. I’m pretty sure my acquaintance did not want this story to be true; after all, it’s pretty unnerving to think that the government would go this far to spy on people.
I couldn’t confirm the truth behind the article because I don’t know the truth. I do know that Kaspersky Lab made the announcement of the discovery, and I do know that it wouldn’t be the first time some sort of malware or spyware was discovered pre-installed into hard drives—in fact, security people have warned about the security concerns of flash drives for several years now. So my response to my acquaintance was that while I don’t know for sure if it is true, I have every reason to believe that it is, and we should be concerned.
The researchers at Kaspersky Lab are calling this cyberespionage and attributing it to an organization the researchers call the Equation group, which is an organization of threat actors with ties to Stuxnet’s developers. As the Lab’s SecureList blog explained:
To infect their victims, the Equation group uses a powerful arsenal of “implants” (as they call their Trojans), including the following we have created names for: EQUATIONLASER, EQUATIONDRUG, DOUBLEFANTASY, TRIPLEFANTASY, FANNY and GRAYFISH. No doubt other “implants” exist which we have yet to identify and name.
Perhaps the most powerful tool in the Equation group’s arsenal is a mysterious module known only by a cryptic name: “nls_933w.dll”. It allows them to reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM. This is an astonishing technical accomplishment and is testament to the group’s abilities.
The Equation group’s efforts target a wide range of industries, utilities and groups. What does it mean for businesses? These hard drive manufacturers provide some of the most popular storage products available. There is a good chance that your business is using one of these brands right now. Malware installed directly onto the hard drive is able to avoid all of the typical security controls in place, like antivirus software. The good news is that chances are the NSA or those involved in cyberespionage likely aren’t interested in the information gathered about your company, unless you are involved in some secret government-related work or a potential terrorist organization. The bad news is it is only a matter of time until cybercriminals begin to use and abuse this malware tactic. The worst news? If you think you have the spyware on your hard drive, according to Mashable, the only way to get rid of it is to destroy your hard drive.
This could turn out to be both one of the most fascinating and horrifying security stories of 2015.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba