Kaspersky Lab researchers have discovered a set of cybertools being used by a cyberespionage group to target countries such as Iran and Russia.
The tools were created by the "Equation" group, and while they have not officially been linked to the National Security Agency, they have strong similarities to NSA techniques that were described in documents leaked in 2013.
"The Equation group uses multiple malware platforms, some of which surpass the well-known 'Regin' threat in complexity and sophistication," said Kaspersky Lab in its report. "The Equation group is probably one of the most sophisticated cyberattack groups in the world; and they are the most advanced threat actor we have seen."
The tools that were developed by Equation are unique in a number of ways. First of all, they are far more complex and expensive to develop than other tools. Not only that, but they are also extremely professional in the way that they extract and steal data.
To infect victims, Equation group uses a number of different Trojans and tools. Not only that, but Equation also uses two variations of the computer worm Stuxnet, which are able to strike both Windows and Mac computers.
The countries most hit by Equation include Iran, Pakistan, Afghanistan, India and China. Specific targets are the military, government and research institutions.
While its not certain who is behind it, it is implied that it is the NSA, aiming to spy on other countries. It certainly would not be surprising if it was the NSA.
The malware itself is able to reprogram hard drive firmware, creating hidden portions of the hard drive that can only be accessed through an API, or application programming interface. After the malware has been installed, it is impossible to remove. Formatting the hard drive does not affect it.
What this suggests is that there currently really is no way to remove it using known technology, apart from destroying the drive.
The malware can target hard drives from Seagate Technology, Western Digital, Hitachi, Samsung and Toshiba, and it is able to modify these drives through two different platforms, called "Equationdrug" and "GrayFish."
It's important to note that it's not currently known if hard drive companies have been collaborating with the NSA for this. Spokespeople from Seagate and Micron have said that they have not knowingly provided the NSA with the source code for hard drive firmware, which would be required for the NSA to be able to alter it.
In fact, it would be rather easy for the NSA to acquire source code for hard drive firmware, simply by posing as a software developer or by stealing it in some other way.