The NSA might have found a way to hide spying software on hard drives made by Western Digital, Seagate, Toshiba IBM or other big manufacturers and infected computers from more than 30 countries worldwide, according to the security experts at Kaspersky Lab. The Moscow-based security software maker claims the new “threat actor” surpasses anything known in terms of complexity and sophistication of techniques. The Equation Group – as Kaspersky calls it – has been active for almost two decades and uses tools that are very complicated and expensive to develop, in order to infect computers, retrieve data, hide activity and utilize classic spying techniques to deliver malicious payloads to the victims.
Although they don’t explicitly name the country behind the spying program, security software experts point a finger at the U.S. government by saying The Equation Group was closely linked to Stuxnet, the NSA cyberwarfare virus, used to attack Iran’s uranium enrichment facility.
The most infections were found in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria, covering targets in government and diplomatic institutions, telecommunications, energy, nuclear researcher, oil and gas, aerospace, military, nanotechnology, Islamic activists, mass media, transportation, financial institutions and companies developing encryption technologies.
The Group’s infrastructure includes more than 300 domains and more than 100 servers hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and the Czech Republic.
One of the powerful tools discovered by Kaspersky Lab rewrites the hard drive’s operating system and is the first known malware capable of infecting the hard drives. It can even survive disk formatting and re-installation of the operating system, being able to resurrect itself forever. Other spying programs were spread by infecting USB sticks and CDs and by developing a computer worm called Fanny. Its main purpose was to understand the topology of a network that cannot be reached and to execute commands to those isolated systems, according to the Kaspersky report.
Some classic spying methods were also used by the Group to intercept physical goods and replace them with Trojanized versions. One example used by Kaspersky involved the participants at a scientific conference in Houston who received a copy of the conference materials on a CD later used to install one of the Trojans called DoubleFantasy.