CyberEye

Blog archive
Equation’s firmware threat

Now that’s persistent: Equation’s firmware threat

The recent revelation that the Equation Group uses disk drive firmware to plant malware in systems points to the kind of sophisticated and hard-to-tackle threat that will increasingly be a part of black hat attacks.

Kaspersky Lab, which came out with the initial report on Equation, said the group attacked the firmware of major drive makers such as Samsung, Seagate, Western Digital, Hitachi and Maxtor. Unlike other attacks, apparently no kind of clean-up efforts can scrub the firmware. That gives a whole new context to the phrase “persistent.”

Technically, the attack uses the nls_933w.dll module to both reprogram the disk drive firmware with a custom payload, as well as provide an application programming interface for attackers to access hidden storage sectors on the drive. Kaspersky also published a much more detailed version of its investigation (in which it breathlessly labeled Equation “The Death Star” of the malware galaxy) and listed organizations it believed the group had infiltrated, many of them government related.

A number of sources have suggested Equation might be a very limited threat, given the effort needed to master the level of programming required to rewrite the firmware. However, that could be an optimistic assessment given the level of sophistication that other state-sponsored groups and organized crime have shown recently.

Using hard drive firmware as an avenue of attack is also not that new of an idea. Researchers at public universities were detailing five years ago how disk drive firmware could be used to embed malicious software.

Rewriting software that controls hardware is also at the heart of what’s been described as one of the hottest hacks of 2014. BadUSB is an attack that reprograms the controller chips on USB peripherals, including thumb drives, to emulate a keyboard and allow an attacker to issue commands to download files or install malware. It can also be used to redirect network traffic or install  a virus to infect an operating system before it boots.

As with the disk drive firmware attack, it’s apparently hard to clean up a BadUSB infection. Reinstalling an operating system won’t necessarily work since the drive used for that may itself be compromised, and a BadUSB device may already have replaced a system’s BIOS.

Researchers have been busy detailing how BadUSB attacks could be used against organizations, some of which get to be downright scary. Michael Toecker of Context Industrial Security recently described how USB-to-serial converters that are being used to connect critical legacy hardware at industrial control plants can have their firmware reprogrammed. He tested his theory on 20 different converters, and 15 of the chips could not be reprogrammed, so it would probably be a tough nut to crack. But that still left five that could be manipulated.

The Kaspersky revelations are not the first time firmware reprogramming has been mentioned in relation to the NSA. In December 2013, German magazine Der Spiegel published a lengthy investigative piece on the activities of the NSA, which had several months earlier been shown to have intercepted the mobile phone conversations of a number of state leaders, including that of German Chancellor Angela Merkel.

As a part of that investigation, the magazine detailed the contents of what it called the NSA’s Spy Catalog, a years-in-the-making collection of NSA-developed malware and surveillance hardware. That included, according to documents the magazine obtained, “spyware capable of embedding itself unnoticed into hard drives manufactured by Western Digital, Seagate and Samsung.”

It’s tempting to believe that if this catalog exists (there were no official confirmations),it’s a rare resource only available to those with the money and technical sophistication of the NSA. Given the industrialization of malware over the past few years, however, that’s a big leap.

Posted by Brian Robinson on Feb 27, 2015 at 11:36 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.