SAS: Reprogramming Hard Drives

Thursday, February 19, 2015 @ 10:02 AM gHale

An advanced cyber-espionage group is able to change the firmware in more than a dozen hard drives, possibly infecting thousands of computers and may have a link back to Stuxnet.

Seagate, Western Digital, Toshiba, Maxtor, Toshiba, Micron, Samsung and IBM are among the units affected.

Complex Security Should be Easy
SAS: Security for Accelerator
SAS: Security a ‘Workable Problem’
SAS: Intricate Attacks on Banks

Among the tools used by the bad guys is a module named “nls_933w.dll,” whose purpose is “to reprogram the hard drive firmware of over a dozen different hard drive brands,” said researchers at Kaspersky Lab during a Monday session at Kaspersky’s Software Analyst Summit 2015 (SAS) in Cancun, Mexico.

This module is probably the most powerful one used by the group called Equation and it represents a technical achievement that proves the sophistication level of the group’s abilities.

By planting the infection in the firmware of the hard drive, Equation ensured persistence on the machine until the tampered storage would end up replaced, since wiping the hard disk and/or re-installing the operating system would have no effect and the infection would re-occur.

The researchers caught two malicious modules that could reprogram the HDD firmware, one of them, compiled in 2013 and found in GrayFish malicious platform, being able to affect no less than 12 brands.

The first version ended up detected in EquationDrug platform and researchers found a compilation date from 2010. It affected six HDD brands.

Reprogramming the firmware of the storage devices allowed the bad guy to create a hidden data storage space isolated from the operating system, where you could only gain access through specific methods created by the attacker.

The affected units see use by government and diplomatic institutions, telecommunication companies, organizations activating in fields such as aerospace, energy, nuclear research, oil and gas, military, nanotechnology, transportation, financial sector, or entities developing encryption technologies.

Researchers found evidence the Equation group relied on malware pieces compiled in 2002, although the command and control (C&C) server used for transmitting the data ended up registered in 2001. However, they also found other C&Cs used by the group had registrations as far back as 1996, suggesting the group has been active for almost 20 years.

Six Trojans have been identified by the researchers (named EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish by Kaspersky), but their number is likely larger as others have yet to be identified.

Kaspersky researchers said Equation interacted with the groups behind Stuxnet and Flame, “always from a position of superiority, as they had access to exploits earlier than the others.”

The connection with the actors behind Stuxnet was in the Fanny worm, detected in December 2008, tasked with mapping air-gapped systems. Fanny used two of the Zero Day exploits as the tool attacking the Iranian nuclear plant at Natanz. Furthermore, Fanny spread using the LNK exploit employed in the Stuxnet attack.

The exploits first incorporated in Fanny, and then observed in early versions of Stuxnet. This indicates the Equation group had access to the security flaws before the group behind Stuxnet.

The fact different computer worms used the same exploits at around the same time points to out the Equation group members and the developers of Stuxnet are either the same or are working together, Kaspersky researchers said.

Leave a Reply

You must be logged in to post a comment.