As the Russian IT security company Kaspersky recently claimed, a group of hackers have been up to mischief around the world for decades. The cyber pirates rely on highly developed technologies that have not only recently been associated with the US secret service NSA or any other secret service.
A report that has now been published should not only excite manufacturers of hard drives. Companies, governments, research institutions and authorities also have to deal with the topic.
No one knows exactly how long this group has been active. After an extensive search for clues, malware was traced back to 1996. The hacker group would have been in business for 20 years. The damage to the affected governments and companies is not yet foreseeable.
Kaspersky published precarious details. That's how it should be Equation Group attacked companies, authorities, institutions and governments in more than 30 countries. To do this, malware placed on the hard drive creates a hidden area in which it saves important data and retrieves it later. However, the possible manipulation of the affected firmware on the hard disk is considered to be particularly critical.
Manipulation at the highest level
For the attacks themselves uses the Equation Group numerous Trojans. Infecting hard drive firmware with malware is the most effective method. The firmware is effectively manipulated through the use of a series of undocumented ATA commands.
Another method of equation group is the use of software, which is able to scan networks without being connected to the Internet. For this, the group uses a USB stick, which collects information from the network as soon as it is connected to the computer. If this computer is connected to the Internet, there is an undesired exchange of data to and from the Internet. Networks that are not connected to the Internet can also be manipulated in this way.
An Infection of the computer via a CD is also possible. For example, a group of participants at a scientific conference in Houston (USA) received a CD with alleged conference materials. The malware was then installed on the personal PC via this CD. So far it is unclear where these CDs were compromised.
The Windows operating system is preferred. However, there are also indications of infection of other operating systems such as Mac OS X. Even iPhones are not spared from the cyber attack. The user is directed to a page with an exploit (vulnerability) via a PHP script and infected there.
One of the most advanced malware found is an implant called grayfish, which was programmed between 2008 and 2013 for different Windows versions. The bit version didn't matter. The 32-bit version was affected as well as the 64-bit version.
When infected with Grayfish, the malware takes over the boot process and thus gains full control over the computer. In the course of this manipulation, the malware creates its own encrypted file system in the directory. Drivers are also infected in the process.
The malware cannot be destroyed. According to the Kaspersky researcher Fabio Assolini, only the complete disposal or destruction of the hard drive solves the problem. Even formatting the hard drive or installing a new operating system does not help. The malware is hidden on the hard diskthat even sophisticated antivirus software cannot detect it.
Attack of devastating proportions
According to Kaspersky, more than 30 countries have been victims of this so far Cyber attack. Those affected include research institutions, telecommunications companies, governments, diplomatic institutions and mass media - including in the USA, Germany, Great Britain and France. Russia and Iran are particularly affected.
hard drives from Samsung, Seagate, Western Digital, Toshiba and Maxtor are said to have this malware. Presumably, this firmware will only be reprogrammed when the goal or purpose is worthwhile. According to observations, users from certain IP address ranges were not infected - including Turkey, Jordan and Egypt.
Do US secret services have a hand in this?
Kaspersky does not dare to openly step against the US authorities. However, assumptions lead to the suspicion that the Equation Group did not work directly with the secret services, but that there is a cooperation with the developers of Stuxnet and Flame.
According to the report, the developers are said to have exchanged vulnerabilities - so-called zero-day gaps - that the hackers of the Equation Group used for their attacks. Since Flame and Stuxnet were assigned to the NSA and CIA, it is reasonable to assume that these organizations were also involved in the Equation Group attacks. A denial or a public presentation of the situation by the secret services or the hacker group itself is not to be expected.
