Sophisticated 'Equation' HDD Firmware Backdoor Allows For NSA-Style, Global-Scale Spying

Security firms the world over dream of a day like this, but this one belongs to Kaspersky. The Russian-based firm has discovered the existence of a threat actor that could be linked to the US Government, and NSA in particular. Kaspersky has dubbed the group Equation, as it became clear that the folks involved loved advanced encryption algorithms and other obfuscation techniques.

Through its Global Research and Analysis Team (GReAT), Kaspersky has discovered that Equation has itself created advanced malware - dating back to at least the early 2000s - and also had extremely close ties to groups responsible for some infamous malware, such as Stuxnet.

Here's how Kaspersky summarizes Equation:

The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.

It's Equation's work with the group responsible for Stuxnet that helps out it as having close ties with the NSA. After the revelations of Edward Snowden in mid-2013, we learned that Stuxnet was an NSA-led effort -- so there we have it. That said, Kaspersky isn't laying blame quite yet, and maybe for good reason.

As seen in the shot below, Equation is being attributed to a large number of trojans released since 2001, including EquationLaser, DoubleFantasy, TripleFantasy, EquationDrug, Fanny, GrayFish, among others.

Equation Group Timeline

Based on the Kaspersky-created map below, it seems clear that Equation has had nothing to do with spying on regular citizens; instead, its goals were to retrieve information from other governmental agencies. Countries that are said to have had high infection rates include Iran, Russia, Pakistan, and Afghanistan.

Equation Group Victims

While Equation has been responsible for a lot of different pieces of malware, it's one infection technique in particular that stands out. In effect, the group managed to write its own code into the firmware of hard disks. What makes this so dangerous is the fact anti-malware scanners wouldn't be able to see it - it might as well be considered invincible.

The scarier thing with such malware is that it's persistent. You could format your drive as many times as you'd like, and re-write the MBR as many times as you'd like, and it'd remain. It does seem likely that it could be removed with a fresh write of the firmware, but updating hard drive firmware isn't all too common.

If you want to read more about the Equation group in far more depth, I'd recommend checking out the official PDF (right-click, download).

While it seems entirely likely that Equation is directly linked to the NSA, it might be some time before we can see the blame correctly laid. Perhaps Edward Snowden will have some insight?