'Breakthrough' NSA spyware shows deep grasp of makers' hard drives

An apparently U.S. computer espionage program has reportedly figured out how to implant spyware into hard drives. Here's what you should know about what's been described as a "breakthrough" computer snooping tactic.

'All-powerful' spyware on hard drives an unprecedented technique, experts say

The U.S. National Security Agency reportedly figured out how to conceal spyware in hard drives years ago, according to former operatives, who say a new Kaspersky Lab cybersecurity report analyzing the espionage operation is correct. (Jason Reed/Reuters)

What seems to be a U.S.-run computer espionage program has reportedly figured out how to employ a "breakthrough" snooping tactic — the implanting of spyware into hard drives — that could compromise most of the world's computers.

As a matter of policy, Kaspersky Lab, which publicized the discovery in a report on Monday, withheld the name of the country it suspects of being behind the operation.

But the Moscow-based anti-virus company said the country behind the implanted spyware was closely linked to Stuxnet, the computer worm deployed by the U.S. National Security Agency to disable Iran's nuclear-enrichment capabilities.

Former NSA operatives confirmed to Reuters that the analysis by Kaspersky, a highly reputable anti-virus firm, was correct. They said the NSA’s ability to secretly embed spyware into hard drives has long been prized by the surveillance agency.

While the scope of the operation isn't fully understood yet, Kaspersky's chief malware analyst and other cybersecurity experts helped explain what's contained in the report, how the spyware works and why the revelations may have caught so many by surprise.

How is this spyware unique?

Cybersecurity researchers have detected malware — foreign software that's intended to disable or take over a computer — on computer operating systems in the past.

Vitaly Kamluk, principal security researcher at Moscow-based Kaspersky Lab, says one of the only ways for any party to acquire the source code for a hard drive would be to steal it from the manufacturer. (YouTube)

But this presents a new level of sophistication that Kaspersky's principal security researcher Vitaly Kamluk calls "revolutionary."

"Until now, we've never seen malware get to the micro-code, the microsystem running the hard drive itself," Kamluk said from Singapore.

To implant spyware on hard drives would require the device's source code — the raw written backbone of software that users would never see — and perhaps product blueprints that "only manufacturers would have access to," Kamluk said, suggesting such proprietary information could only be obtained through limited means.

"You might have to steal it," he said.

Any errors in the implanted malware, he added, would "completely destroy" a hard drive, rendering a computer useless and unable to boot up.

How widespread is the malware?

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. (Kaspersky Lab/Reuters)

The Kaspersky Lab report code-named the perpetrator of the spyware "the Equation group," and said researchers have observed compromised hard drives in more than 30 countries, including Iran, Russia, Syria, Afghanistan, the U.S. and the U.K.

By its estimation, Kaspersky Lab says the program causes about 2,000 infections per month, with targets belonging to the telecom, aerospace, energy, military and nuclear research sectors, as well as governments and financial institutions, among others.

Kaspersky Lab counted about 500 known victims worldwide, but Kamluk estimates this may represent less than 10 per cent of computers with compromised "firmware."

Tom Keenan, a cybersecurity expert and fellow at the Canadian Defence and Foreign Affairs Institute, explains that malware hidden on firmware would be nearly impossible to detect. (CBC)

The espionage program appears to be fairly targeted, said Chris Parsons, an expert on state surveillance tools with the University of Toronto's Citizen Lab."This is what we can count," a Kaserpsky spokesperson said. "Because of [the] self-destroying function of the malware, the number [of victims] could be much higher."

"Realistically, that's a comparatively small number when you look at the global population of computers that are sold," Parsons said.

Canada was not identified as one of the nations that has been targeted by the tampered hard drives.

What is firmware?

Firmware is software that enables a computer to perform its basic functions, Parsons explained.

"It's essentially the operating code that runs the devices in your computer," he said. "Think of it as the base code that's used to run the hardware. Once the firmware is running ... all the pieces of your computer get activated and are able to function."

Kaspersky Lab released a timeline reporting how different "implants" or tools used by a group it calls "Equation" have been infecting victims' computers since 2001. Media reports have said that the Equation group is a veiled reference to the U.S. National Security Agency. (Kaspersky Lab)

A bluetooth module in a laptop, a smartphone, a hard drive, and a computer motherboard all contain firmware.

Firmware launches every time a computer is turned on, making it a coveted piece of PC real estate for hackers.

Tom Keenan, a Calgary cybersecurity expert and fellow with the Canadian Defence and Foreign Affairs Institute, said the "all-powerful" functions of firmware would make it a big game catch for cyberthieves.

"There's no anti-virus program, no software that can protect you from someone who's going to attack your firmware because all those programs have to talk to the firmware, and the firmware is doing what it pleases," Keenan said.

Command over firmware would effectively hand hackers the controls to a computer, allowing files to be stolen.

“You could even modify firmware on your computer so that every keystroke is captured and sent somewhere,” Keenan said.

Why is this considered a breakthrough?

For those in cybersecurity, the possibility of exploiting firmware on disk drives is a big deal because it would affect almost the entire computer market.

By the time you go to boot into Windows, it's already compromised, and this has been hidden for at least eight to 14 years- Chris Parsons, University of Toronto's Citizen Lab

Kaspersky's analysis suggests the spyware could work on popular hard drives manufactured by Western Digital, Seagate Technology, Toshiba, IBM, Micron Technology and Samsung.

"The value of getting in before everything else loads is you can influence what loads, how it loads, when it loads, and the value is much higher than if you waited until the operating system booted up," Parsons said.

That's because most anti-virus programs tend to be designed to take action following the loading of firmware. This particular program, however, would be "masked" in the firmware.

Which users might be affected by this?

Parsons points out that so far all the malware collected has been designed to work with Microsoft Windows.

One of the characteristics of this malware was to modify the sensor instructions to make the changes to the firmware "almost impossible to detect," Parsons explained.

"So by the time you go to boot into Windows, it's already compromised, and this has been hidden for at least eight to 14 years,” he said.

Some of the malware plugins, according to the Kaspersky report, were originally designed for use on Windows 95 computers, while others can target operating systems running Windows 7, which was released in 2009.

Non-Windows targets may also be vulnerable, however. The report mentions that victims in China who use Mac OS X computers may have been targeted.

What might the fallout be?

The NSA has not commented on the report, and top manufacturers of hard drives have so far declined to say whether they share source codes with government agencies. Western Digital said it never provided its source code with any government.

Parsons anticipates hackers will be emboldened by the report’s findings.

“By now knowing the kinds of attacks possible, you can be certain that other actors will now try to emulate and copy what we’ve seen here,” he said. “The risk of copycats is now much more likely.”


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?