The U.S. intelligence community has found ways to avoid even the strongest of security measures and practices, a new report from Moscow-based Kaspersky Lab suggests, demonstrating a range of technological accomplishments that place the nation's hackers as among the most sophisticated and well resourced in the world.
Hackers who are part of what the cybersecurity researchers call "Equation Group" have been operating under the radar for at least 14 years, deploying a range of malware that could infect hard drives in a way almost impossible to remove and cold hide code in USB storage devices to infiltrate networks kept separate from the Internet for security purposes.
Kaspersky's report did not say the U.S. government was behind the group. But it did say the group was closely linked to Stuxnet -- malware widely reported to have been developed by the National Security Agency and Israel that was used in an attack against Iran's uranium enrichment program -- along with other bits of data that appear to align with previous disclosures. Reuters further linked the NSA to the Kaspersky report, citing anonymous former employees of the agency who confirmed Kaspersky's analysis.
NSA spokesperson Vanee Vines said in a statement that the agency was aware of the report, but would not comment publicly on any allegations it raises.
The Kaspersky report shows a highly sophisticated adversary that has found ways to worm itself into computers with even the strongest of security measures in place. This matches up with what we know about other NSA efforts from documents leaked by former NSA contractor Edward Snowden, which showed efforts to undermine encryption and evade the protections major tech companies used to guard user data.
But the new report paints a more detailed picture of the breadth of the agency's reported offensive cyber arsenal. And unlike other recent revelations about U.S. government snooping, which have largely come from Snowden, the insights from Kaspersky came from examining attacks found in the digital wild. Victims were observed in more than 30 countries, with Iran, Russia, Pakistan and Afghanistan having among the highest infection rates, according to the report.
One of the most sophisticated attacks launched by the Equation Group lodged malware deep into hard drives, according to Kaspersky. It worked by reprogramming the proprietary code, called firmware, built into the hard drives themselves. That allowed for persistent storage hidden inside a target system that could survive the hard drive being reformatted or an operating system being reinstalled, the report says.
The code uncovered by Kaspersky suggests the malware was designed to work on disk drives of more than a dozen major manufacturers -- including those from Seagate, Western Digital, Toshiba, IBM and Samsung. But the report also notes that this particular technique seemed to be rarely deployed, suggesting that it was used only on the most valuable victims or in unusual circumstances.
The Kaspersky report also said the group found ways to hide malicious files within a Windows operating system database on the targets' computer known as the registry -- encrypting and stashing the files so that they would be impossible to detect using antivirus software.
Equation Group also found ways to infiltrate systems that were kept off the Internet for security purposes -- commonly known as "air-gapped" networks. Malware used by the hackers relied on infected USB sticks to map out such networks -- or even remotely deploy code on them, according to the report.
The program would create hidden areas on an infected USB stick. If that stick was then connected to a computer that lacked Internet access, it would scoop up data about the system and save it in that hidden area. If reconnected to a computer with Internet access, it would send that information off to its controllers. Attackers could also run commands on air-gapped networks by saving code to the hidden part of the drive that would run when it was connected to a network without Internet access.
Other malware thought to be developed by the U.S. government, including Stuxnet and Flame, used similar measures to bridge air gaps -- and previous reports detail even more ways the spy agency has circumvented security measures and practices.
A 2013 story from the Guardian, ProPublica and the New York Times reported that the NSA had worked secretly to break many types of encryption, successfully exploiting the technology used to protect the privacy of online communications and working with tech companies to introduce weaknesses into commercial products that consumers thought to be secure.
Snowden documents reported on by The Washington Post the same year showed the spy agency broke into the links connecting Yahoo and Google data centers -- bypassing security measures and potentially allowing the NSA to collect at will from hundreds of millions of users.