“Equation Group” Hackers Tied to NSA Has Hidden ‘Fanny Worm’ Malware In Hard Drives, Globally
In what could be most damning revelation this year since the 2013 Snowden leaks, Russian security firm Kaspersky has presented a report that the National Security Agency (NSA), the snooping agency for the United States has been involved in a globally-organised hacking campaign aimed at the firmware of hard drives.
Kaspersky report says that NSA undertook firmware method to put a backdoor in the hard drives manufactured by as many as 12 major HD manufacturers. The operation has been dubbed as “Equation Group” by researchers of Kaspersky Lab and took help of hackers to secretly intercept a package in transit, booby-trapped its contents, and sent it to its intended destination. Kaspersky had dubbed the group as Equation Group because it is apparent use of heavy encryption tools and algos, obfuscation methods and advanced delivery mechanism
Kaspersky report notes that somewhere in mid 2002 or 2003, Equation Group members used the Oracle database installation CD to infect multiple targets with malware from the group’s extensive library.
As per Kaspersky the number of victims of this cyber snooping operating can range in ‘tens of thousands of victims’ in over 42 countries spread across the globe. NSA apparently used this method to infect PCs primarily in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali at the top of the list.
The NSA victims centred in critical fields including aerospace, nuclear research, government, telecommunications, Islamic activists, energy, and industries, financial concerns, encryption technologies and infrastructure supply chains. Kaspersky researchers say it is difficult to arrive at a absolute number of infections done by the Equation Group because of a self-destruct mechanism built into the malware.
“It seems to me Equation Group are the ones with the coolest toys,” Costin Raiu, director of Kaspersky Lab’s global research and analysis team, told Ars Technica. “Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.”
Backdoor through BIOS
Each and every computer may have its own operating system and anti virus/anti snooping detection engines. But each and every computer has a hardware which runs on its own hardware. This hardware popularly called as firmware is used at the boot level to start the machine, run system checks and communicate with the PC’s operating system. NSA and its hacker allies used this part of the PC operation to deliver the tracking backdoor. This way it not only spied on the victims throughout the PCs lifespan but was also able to avoid detection from all major security service providing software.
Kaspersky’s Costin Raiu has also noted that not only is the malicious payload resistant to any interference at boot-time, but that it can not even be read in normal conditions due to highly leveraged obfuscation methods,
“[For] most hard drives there are functions to write into the hardware firmware area,” says Raiu. “but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.”
Though Kaspersky cannot directly connect the “Equation Group’ to the NSA but in the report it says that the backdoor malware called ‘Fanny worm’ had links to the deadly NSA-originated Stuxnet malware. NSA had written Stuxnet to wage a cyberwar against the Irans’ nuclear facilities and is credited with pushing the Iranian uranium enrichment programme back to the ‘dark ages’ and succeeding in bringing it to the negotiating table with the world powers on nuclear proliferation.
Reuters on the other hand has directly pointed towards NSA by stating to have heard from an ex-NSA employee who confirms the verity of the Kaspersky report. Reuter’s another source has also confirmed that the NSA has developed ‘the prized technique of concealing spyware in hard drives’, but could not identify which agency or department was making use of the capability.
The Equation Group’s ‘Fanny worm’ malware is designed to map the topology of air-gapped networks i.e. groups of computers which are not directly connected to each other by using infected USB sticks as a delivery vector between the two unconnected machines. Once the ‘Fanny Worm’ is installed into the PC, it starts retrieving information and broadcasting it to a network of command-and-control (C&C) servers.
Kaspersky report notes that they had been able to identify seven different variants of Fanny worm, including one against the fork of the Firefox web browser which is used in the popular online encryption tool Tor anonymiser network.
China apparently knew about the malware and backdoor because in 2014, it decided to replace the IBM technology for its PCs with its Tiansuo K1 system with Chinese-originated servers from Inspur.