The National Security Service (NSA) has managed to infect the hard disk firmware with spyware to spread Stuxnet. This service was done at least 14 years ago, according to an analysis by Kaspersky Labs.
The campaign has probably infected tens of thousands of computers with telecommunications providers, governments, armies, utilities, and media companies, among others, in more than 30 countries.
Η NSA has allegedly compromised the firmware of hard drives from several leading brands, including Seagate, Western Digital, IBM, Toshiba, Samsung and Maxtor, according to researchers of Kaspersky.
Kaspersky's analysis says that the NSA discovered a vulnerability for the contamination of the hard drive firmware with a malware known only as nls_933w.dll and capable of persisting even after formatting, to re-infect targeted systems.
The researchers said that an NSA group called 'The Equation Group' had access to the source code of the firmware and was able to gain full control to remotely access the infected machines from high-value targets.
"The 'Equation Group' is probably one of the most sophisticated cyber attack groups in the world," says Kaspersky.
“It is an amazing technical achievement and it is evidence for the abilities of the team.”
"For many years they have carried out many attacks, such as with Stuxnet and Flame, and always from a position of superiority, as they had access to exploits earlier than others."
The campaign was called "Death Star" and you can read more details from PDF.
Western Digital, however, said it did not share its firmware source code with the service. Of course, it is still not known whether the other hard disk manufacturers had done so
But what could the trojan do:
EQUATIONDRUG – A very complicated one platform επίθεσης που χρησιμοποιείται από την ομάδα. Υποστηρίζει ένα σύστημα plugin, η οποία μπορεί να φορτωθεί δυναμικά και να εκφορτωθεί από τους επιτιθέμενους.
DOUBLEFANTASY - A validator Trojan, which was intended to confirm its purpose and intended use. If the goal is confirmed, it is upgraded to a more advanced platform such as EQUATIONDRUG or GRAYFISH.
EQUESTRE - same as EQUATIONDRUG.
TRIPLEFANTASY - Full-featured backdoor sometimes used in conjunction with GRAYFISH. Looks like a DOUBLEFANTASY upgrade, and is probably a more recent validation program.
GRAYFISH - The most advanced attack platform of EQUATION Group. It is based on the registry, and is supported by a bootkit to run with the operating system boot system.
FANNY - A worm created in 2008 and used to gather information on targets in the Middle East and Asia. It is first upgraded to DoubleFantasy, and then to EQUATIONDRUG.
EQUATIONLASER - One of the first implants of the EQUATION team. Used from 2001 to 2004. Compatible with Windows 95/98.
