To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

Has the US planted spyware on your hard drive?

NSA linked to sophisticated spyware hidden in the firmware of hard disks from major manufacturers

The US intelligence services have been indirectly accused of hiding spyware in the firmware of hard disk drives, potentially allowing them to eavesdrop on communications made using infected PCs. The discovery was made by the Russian security company, Kaspersky, who found the spyware hidden in hard disks manufactured by Western Digital, Seagate, Toshiba, Samsung and others. 

Kaspersky’s report says it has found hard drives in more than 30 countries that are infected with the spyware, including Iran, Afghanistan, China, Russia and the UK, although the infection rate was most prevalent in countries that are likely to attract the interest of the US intelligence services. 

The security firm doesn’t directly accuse the US of planting the spyware, but says that it is closely linked to the Stuxnet malware, which was used by the US National Security Agency (NSA) to attack Iran’s uranium enrichment facilities. 

Kaspersky’s report says the organisation behind the spyware, which it dubs the Equation Group, “is probably one of the most sophisticated cyber attack groups in the world”.  

“Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the Equation group’s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware,” Kaspersky states. 

Kaspersky lists some of the sophisticated characteristics of the spyware, including “extreme persistence that survives disk formatting and operating system reinstall” and “an invisible, persistent storage hidden inside the hard drive”. It says the malware is capable of reprogramming selected types of hard disk manufactured by Seagate, Western Digital, Samsung and Toshiba and others, although there is no suggestions the manufacturers themselves have been complicit in the installation of the spyware. 

Kaspersky says it has observed more than 500 infections worldwide, but adds that may just be the tip of the iceberg. “A lot of infections have been observed on servers, often domain controllers, data warehouses, website hosting and other types of servers,” Kaspersky reports. “At the same time, the infections have a self-destruct mechanism, so we can assume there were probably tens of thousands of infections around the world throughout the history of the Equation group’s operations.”

The NSA has declined to comment on the allegations. 

In 2012, Wired published an article accusing Eugene Kaspersky, the owner of the security firm, of having close ties to the Russian government and security services. Kaspersky posted a blog denying the accusations, pointing out that the company was established in the UK and that the firm’s “affairs there have nothing to do with the Kremlin”. 

Read more

News