Moscow-Based Security Firm Reveals What May Be The Biggest NSA "Backdoor Exploit" Ever

Tyler Durden's picture

Since 2001, a group of hackers - dubbed the "Equation Group" by researchers from Moscow-based Kaspersky Lab - have infected computers in at least 42 countries (with Iran, Russia, Pakistan, Afghanistan, India, and Syria most infected) with what Ars Technica calls "superhuman technical feats" indicating "extraordinary skill and unlimited resources."

The exploits - including the 'prized technique' of the creation of a secret storage vault that survives military-grade disk wiping and reformatting - cover every hard-drive manufacturer and have many similar characteristics to the infamous NSA-led Stuxnet virus.

According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.


Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.


"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.




Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.

The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.

Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

Which, as Reuters reports, strongly suggests the "extraordinary skills and unlimited resources" were funded by the NSA...

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.


That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.


Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.


The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.


A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

The global coverage is clearly focused in a particular region (and not in the US)...

As Kasperskey exposes, victims generally fall into the following categories:
•     Governments and diplomatic institutions
•     Telecommunication
•     Aerospace
•     Energy
•     Nuclear research
•     Oil and gas
•     Military
•     Nanotechnology
•     Islamic activists and scholars
•     Mass media
•     Transportation
•     Financial institutions
•     Companies developing cryptographic technologies

As an interesting note, some of the “patients zero” of Stuxnet seem to have been infected by the EQUATION group. It is quite possible that the EQUATION group malware was used to deliver the STUXNET payload.

So far, Kaspersky have identi?ed several malware platforms used exclusively by the Equation group. They are:

EQUATIONDRUG  – A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.

DOUBLEFANTASY  – A validator-style Trojan, designed to con?rm the target is the intended one. If the target is con?rmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.




TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.


GRAYFISH  – The most sophisticated attack platform from the EQUATION group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.

FANNY  – A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded ?rst to DoubleFantasy, and then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.

EQUATIONLASER  – An early implant from the EQUATION group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG.

Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group’s attack technologies that exceeds anything Kaspersky has ever seen before.

This is the ability to infect the hard drive ?rmware.

The plugin version 4 is more complex and can reprogram 12 drive “categories”


*  *  *

So to summarize:

1) US sanctions Russia


2) a Russian-based research group (Kaspersky Lab is an international group operating in almost 200 countries and territories worldwide. The company is headquartered in Moscow, Russia, with its holding company registered in the United Kingdom. Kaspersky Lab currently employs over 2,850 qualified specialists) reveals that through Equation group's code, there is NSA presence across the supply chain of the highest margin US products .


3) As Reuters notes, the exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.


4) And Peter Swire, one of five members of U.S. President Barack Obama's Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering. "There can be serious negative effects on other U.S. interests," Swire said.

It appears the 'boomerang' is boomerang-ing...

*  *  *

Full Kaspersky Labs report below:

Equation Group Questions and Answers

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
max2205's picture

Does it stop the cntr P keys?

Publicus's picture

 China is getting rid of US tech companies in it's market one by one.


Intel will be banned.

seek's picture

CPUs aren't the problem/threat vector, code is. Systems with code (BIOS, firmware, etc) are the primary threats and the way you control those is to bring design and manufacturing in-house and lock down upgrade mechanisms.

So Intel may or may not be banned, but no country that cares about its security will be using anything other than closely monitored domestically manufactured systems.

I predict a resurgence in ROM-based firmware for certain classes of systems, good luck infecting that across a reboot. And probably a return to some old-school analog or ladder logic control systems.

KingFiat's picture

Most CPUs today have built-in microcode making them vulnerable to attacks like this. Such attacks may already be out in the wild, as they are harder to discover than the storage-based just exposed.

Anusocracy's picture

Just boycott American shit.

BurningFuld's picture

Which begs the question.....Why do the retards that make hard drives make their firmware writable?

NidStyles's picture

I bet this was created by Israel. An answer to that not naming which country was responsible.

NoDebt's picture

"Hard drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up."

Which means you can pretty well guarantee it's in the BIOS, too.  Why would you stop at hard drive firmware when you could do the whole shootin' match?


knukles's picture

Toldja toldja toldja
Front and back end running
If it's connected to the ethernet, it's not yours.


ACP's picture

I just don't understand why 0bombya loves exploiting everyone's back door?

Supernova Born's picture

There is no way AI is going to be kept out of this spy vs. spy fight.

The also rans will be forced to turn AI loose on issues such as these in an attempt to get ahead.

Elon and Stephen should be aware.

The genie has left the building.

Ying-Yang's picture

If Roles were Reversed?

Headline reads Microsoft Security Essentials discovered hackers from Russia have taken over computers in 42 countries including the United States of America.

Mexico and Canada were targeted as well. Most all American hard drive manufacturers were hacked or compromised to become a virus breeder farm to infect and control computers worldwide.

Biggest and baddest hackers money can buy.

We know what you do as you do it. We make your Apple do what we want it to. Feel violated yet? Russians inside your bedroom or man cave, at work and Starbucks... baby!

WTF are you gonna do? Obama?

Richard Chesler's picture

No surprise here.

Everyone knows Obongo LOVES "backdoor exploits".


Jafo's picture

Don't you wish he would use some Vaseline!

clymer's picture

good work by Kaspersky. Given that this is a Windows-specific exploit, the two questions that come to mind: 1.) Was this developed with cooperation from Microsoft? and 2.) How long before Linux overtakes Windows on the desktop in China, Russia, India, Brazil, South Africa, everywhere else? Companies will soon realize that you don't need to rely on a fucking domain controller to centrally manage an IT infrastructure. There are LDAP alternatives to Active Directory.

"EquationDrug’s core modules, designed for hooking deep into the OS, do not contain a trusted digital signature and cannot be run directly on modern operating systems. The code checks whether the OS version predates Windows XP/2003. Some of the plugins were designed originally for use on Windows 95/98/ME.If the target is using a modern operating system such as Windows 7, the attackers use the TripleFantasy or GrayFish platforms. EquationDrug has an integrated countdown timer, presumably designed to self-destruct if commands are not received from the C&C for a period of time (several months).The information stolen from the PC and prepared for transmission to the C&C is stored in encrypted form throughout several fake font ?les (*.FON) inside the Windows\Fonts folder on the victim's computer"

commander gruze?'s picture

It's a bare-metal infection platform and is not OS-specific, from what I gather from the article. Thus, Linux or MacOS specific modules could be written. Since the code starts above OS level, the only solution I see is to use non-standard OS. Plan9 anyone?

And my usual bitcoin plug: I can't see that affecting multi-signature bitcoin wallets where keys are distributed between multiple machines.

Manthong's picture

That’s it.

I’m breaking out the old 8088’s and Bell 103 modems.

Emails to mom must remain secure.

Ying-Yang's picture

China has made its own OS

The homegrown OS, named China Operating System (COS), is essentially meant to compete with OS X, iOS, Windows, or Android.

Yes it is Linux based... bye bye Microsoft and friends. At least in China.

Manthong's picture

So, Linux gets a Chinese back door now.

Gaius Frakkin' Baltar's picture

All things being equal, I'd take a Chinese or Russian compromised device over a NSA compromised device because I live in 'Murika under DC's boot... just as long as they don't share information with DC.

ILLILLILLI's picture

>> I’m breaking out the old 8088’s and Bell 103 modems.

I'm removing all of my fonts...

duo's picture

If you didn't compile it yourself, you don't know if it's safe.

exi1ed0ne's picture

Even then compilers can adjust the code and can inject anything they want into it.  Bit of a chicken/egg problem in computers.  How do you compile a compiler (yes, that's a thing) when the microcode in the chip or bios might be suspect?  There is a whole chain of things that have to happen in order to make software, all relying on implicit trust of the previous step.  Short of pressing the silicone yourself there is no truly secure, and even then there are processor bugs that can be exploited . . .

TheReplacement's picture

Did you also compile make?  Did you compile th OS you are using to compile the new OS?  Did you compile the various firmwares (as this entire article is about a firmware vector)?

YOU cannot win this battle, period.

Liberal's picture

As a staunch liberal, I am absolutely astounded by this report that more Americans watched the SNL 40 special than the NBA All Star game. We are truly a racist country. Something must be done!

Gaius Frakkin' Baltar's picture

The best thing is for everyone to do something a little different.

Element's picture

Even as the consumer electronics forward rush relatively slows, you can bet Moore's Law effects will be quietly ripping FORWARDs unseen by civilians. We will find out how far along it is one day via shock discovery, but the tech will remain hidden for as long as it can be hidden.

ejmoosa's picture

But you do get to pay for it....

ILLILLILLI's picture

"But the more you pay, the more it's worth..."


h/t Done McLean

glenlloyd's picture

These are definitely more than a little complex. I would have thought that a bios rewrite or drive firemware would be really tough via remote access but who knows now. Used to have to boot to external OS to apply a bios upgrade. I see the registry mod as alot more likely since that's accessible with the machine up.


Ying-Yang's picture

American as Mom, baseball and apple pie.

How does this revelation make the average American safer?

The entity who did this should be given the cyber purple heart or sentenced for treason?

Guess the percentage of divided Americans and win a cupie doll.

Scarlett's picture

They should be hanged---in the middle of the superbowl

TheReplacement's picture

Modern computers can upgrade almost all firmwares from the OS (usually a reboot is required - you have Windows Updates turned on automatic right?).  My 2 year old monitor can be firmwared via the video cable from Windows.


HenryHall's picture

>> Which means you can pretty well guarantee it's in the BIOS, too.  Why would you stop at hard drive firmware when you could do the whole shootin' match?


Actually not. There is Chinese controlled BIOS - in the accepted meaning of CPU BIOS even with modern innovations. However, it may well be in the I-O chips firmware. So-called Northbridge chips and the like.

El Crusty's picture

BIOS is the holy grail so to speak but its also relatively easy for a technically savy end user to erase and reprogram the BIOS with uncompromised firmware.


the part about the hard drive firmware that is particularly worrysome is its nearly impossible for the end user to "clean" the compromised firmware off of the hard drive circuit board- if its the firmware thats compromised in a hard disk the only option you realistically have is to physically destroy the drive and replace it with a hopefully "clean" hard disc.


If someone were highly concerned about thier hard drive firmware being compromised and they still needed secure communication, they should remove the hard drive completely and run Linux Debian from a CD/DVD, its an operating system on a disc. no hard drive- no possibility of you computer being compromised as everytime you turn it off any malicious code that made its way onto your computer instantly ceases to exist. 

if someone was even more paranoid than that the next step would be to pop the BIOS chip(s) out of the suspect computer and use a dedicated chip burner to re-flash the BIOS before each use. 

obviously that would not be practical for most people, but if you were in possesion of info that would endanger your life if you were found its the only way to be really secure..




SHRAGS's picture

McMolotv  Tails = TOR= NSA Inside

TOR is a US government creation. see

TOR, and any system utilising TOR is straight-to-NSA malware baked in. 

  Compilers are also a logical target (see projects that attempt double compilation binaries) see  Reflections on Trusting Trust Ken Thompson (1984) and weep .


There are few to zero ways to escape the embedded SpyNet Inside.  Back to paper, typewriters and white noise generators.

Zero Point's picture

Computers are becoming more and more disposable. Just treat them like mobile phones. Keep a burnner, and be sure and BURN it.

Ying-Yang's picture

A backdoor WORM!!!!!!!!!!

Called FANNY?

For real.... dude

Tall Tom's picture

I will tear them apart for the Gold and Precious Metals.


The Hard Drive platters go directly into the Hydrochloric Acid so that I am left with the Platinum Bearing Foils. They will not be readable when I am done.


I also destroy Cell Phones for the PMs.


There is nothing like the odor of HCl and HNO3 in the morning.


I enjoy destroying the NSA Espionage Tracking Devices.


It is theraputic...And it is a twofer. I get the satisfaction and the PMs.


All the while I am muttering "Fuck you NSA" while I am doing it.


Send them to me. You have my address.


12223B Woodside Avenue

Lakeside, CA 92040


We can go and hunt Cougars...

TheReplacement's picture

Hi.  My name is Bob.  I work for XYZ corp where we make motherboards.  My job is design.  I insert NSA chips into each new motherboard design so they come with NSA software out of the box.  My real paycheck comes from Langley.

Face it, all the major tech companies are likely to be a melting pot of international spy agencies as everyone races to get designs and/or induce their tools into products.  Who would really be surprised to see a lab with Americans working next to Russians next to Chinese next to Indians, next to Koreans next to Japanese next to Germans...

Doubt it?  Try MIT or NASA for starters.

Borrow Owl's picture


Jeebus fucking quadruple double "D" gravity challenged titties!

Is there no situation whatsoever where you pathetically ignorant, inbred, dimwitted- albeit well-trained and obedient- .gov useful idiots do not view as an opportunity to disseminate your statist NAZI propaganda?


zen0's picture

The knee jerk Nazi calling is juvenile. There is no reason to believe that Israelis would not develop such a thing at the request of the US. It is a legitimate speculation. All your bluster is for naught.

Borrow Owl's picture

Ahhh... one of the aforementioned 'useful idiots' I presume?

Or maybe not.

You, at least, concede the possibilty that the Isreali goverment is perhaps acting under the direction and/or coercion of the USA PTB-which is directly opposed to the ideas put forth via the constant flood of propaganda -here and elsewhere- which is aimed towards the goal of infecting the ignorant masses with the idea that Judaism is the root of all evil on this batshit insane ball of rock.




El Crusty's picture

you seem to forget the well known fact that the isrealies worked directly with the NSA on Stuxnet and a few of the other zero day exploits that have come to light in the last couple years.

Thirst Mutilator's picture

@BO    The "Censor the Internet" thing is on another thread. Perhaps you need to go over there and help ZH weed out & eliminate the bad people, thereby bringing truth to us all. For the record, I personally believe that this caper has 'The Trekkies' fingerprints all over it!

Borrow Owl's picture

Ahhh.... the stupid. It fucking burns.

Thirty thousand feet over your head.