NSA behind ‘Equation group’ malware that infects hard drive firmware

The U.S. National Security Agency (NSA) is likely behind a first-of-a-kind hack that is seeing spyware embedded onto the firmware of hard drives from major manufacturers, according to a report released by security vendor Kaspersky on Monday.

The Moscow-based firm didn’t identify any country as being behind the spyware campaign it has dubbed Equation. But it did say the spyware is closely linked to Stuxnet, a malware program that many suspect the U.S. used to infect an Iranian nuclear power plant. In fact, Kaspersky says it’s possible Equation was used to deliver Stuxnet. In a Reuters report, former NSA operatives confirm the agency has long held the ability to embed spyware onto hard drives.

Map of victims infected by Equation malware: Kaspersky

Kaspersky says it has identified about 500 victims of the malware worldwide, but notes that since there is a built-in self-destruct mechanism, it is likely the numbers affected are much higher. But Canadians aren’t among those impacted by the malware, with the numbers highest in the Middle East and across Russia (see above map). Targets range from government organizations, military and telecommunication firms to banks, media, and energy companies.

Among the brands of hard drive makers that are prone to the malware are Western Digital, Seagate, Toshiba, and Samsung. The spyware traces back as far as 2001, and is compatible with all versions of Microsoft Windows, including Windows 8. Kaspersky also believes a Mac OS X version of the malware exists.

While many may be infected, those that are actually snooped on by the Equation group are few. Kaspersky says that a type of “validator” malware known as DoubleFantasy is infected as a first stage to see if a target is of interest or not. The malware is implanted on user machines using web browser vulnerabilities, and the malicious PHP script to deliver the payload was seen on Islamic Jihadist discussion forums and ads on popular Middle East websites.

The malware either had the ability to self-destruct if the target was not of interest, or to download higher-grade malware onto the system if the victim was deemed of interest.

Kaspersky discovered the Equation malware campaign when it was investigating a honey pot computer it had set up to attract high-level malware. It was investigating the already-known ‘Regin’ malware that is also considered to be used by espionage purposes by an unidentified group.

If you’re curious whether your systems are impacted by Equation, Kaspersky lists many of the indicators of compromise at the end of its report, including the command and control servers that are used by the malware to trigger different activity.

Brian Jackson
Brian Jackson
Editorial director of IT World Canada. Covering technology as it applies to business users. Multiple COPA award winner and now judge. Paddles a canoe as much as possible.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web