CyberEye

By Patrick Marshall

Blog archive
Equation’s firmware threat

Now that’s persistent: Equation’s firmware threat

The recent revelation that the Equation Group uses disk drive firmware to plant malware in systems points to the kind of sophisticated and hard-to-tackle threat that will increasingly be a part of black hat attacks.

Kaspersky Lab, which came out with the initial report on Equation, said the group attacked the firmware of major drive makers such as Samsung, Seagate, Western Digital, Hitachi and Maxtor. Unlike other attacks, apparently no kind of clean-up efforts can scrub the firmware. That gives a whole new context to the phrase “persistent.”

Technically, the attack uses the nls_933w.dll module to both reprogram the disk drive firmware with a custom payload, as well as provide an application programming interface for attackers to access hidden storage sectors on the drive. Kaspersky also published a much more detailed version of its investigation (in which it breathlessly labeled Equation “The Death Star” of the malware galaxy) and listed organizations it believed the group had infiltrated, many of them government related.

A number of sources have suggested Equation might be a very limited threat, given the effort needed to master the level of programming required to rewrite the firmware. However, that could be an optimistic assessment given the level of sophistication that other state-sponsored groups and organized crime have shown recently.

Using hard drive firmware as an avenue of attack is also not that new of an idea. Researchers at public universities were detailing five years ago how disk drive firmware could be used to embed malicious software.

Rewriting software that controls hardware is also at the heart of what’s been described as one of the hottest hacks of 2014. BadUSB is an attack that reprograms the controller chips on USB peripherals, including thumb drives, to emulate a keyboard and allow an attacker to issue commands to download files or install malware. It can also be used to redirect network traffic or install  a virus to infect an operating system before it boots.

As with the disk drive firmware attack, it’s apparently hard to clean up a BadUSB infection. Reinstalling an operating system won’t necessarily work since the drive used for that may itself be compromised, and a BadUSB device may already have replaced a system’s BIOS.

Researchers have been busy detailing how BadUSB attacks could be used against organizations, some of which get to be downright scary. Michael Toecker of Context Industrial Security recently described how USB-to-serial converters that are being used to connect critical legacy hardware at industrial control plants can have their firmware reprogrammed. He tested his theory on 20 different converters, and 15 of the chips could not be reprogrammed, so it would probably be a tough nut to crack. But that still left five that could be manipulated.

The Kaspersky revelations are not the first time firmware reprogramming has been mentioned in relation to the NSA. In December 2013, German magazine Der Spiegel published a lengthy investigative piece on the activities of the NSA, which had several months earlier been shown to have intercepted the mobile phone conversations of a number of state leaders, including that of German Chancellor Angela Merkel.

As a part of that investigation, the magazine detailed the contents of what it called the NSA’s Spy Catalog, a years-in-the-making collection of NSA-developed malware and surveillance hardware. That included, according to documents the magazine obtained, “spyware capable of embedding itself unnoticed into hard drives manufactured by Western Digital, Seagate and Samsung.”

It’s tempting to believe that if this catalog exists (there were no official confirmations),it’s a rare resource only available to those with the money and technical sophistication of the NSA. Given the industrialization of malware over the past few years, however, that’s a big leap.

Posted by Brian Robinson on Feb 27, 2015 at 11:36 AM


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.