A powerful cyberspying tool can tap into millions of computers worldwide through secretly installed malware, security researchers say, with many signs pointing to a US-led effort.
A report released Monday by the Russia security firm Kaspersky Lab did not identify the source of the campaign but said it had similarities to Stuxnet, a cyberweapon widely believed to have been developed by the United States and Israel to thwart Iran’s nuclear program.
Kaspersky said the campaign “surpasses anything known in complexity and sophistication” in terms of cyber spying, and had been used at least as far back as 2001 by a team dubbed “the Equation group.”
“The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen,” the report said.
The spying relied on a computer worm Kaspersky dubbed “Fanny,” often infecting a computer via a USB stick, and carried out at least two “exploits” to steal information from computers in the Middle East and Asia, the report said.
The evidence shows Equation and Stuxnet developers “are either the same or working closely together,” the researchers said.
No comment: NSA
The US National Security Agency, which has led a vast global surveillance effort as part of its anti-terror mission, declined to comment on any involvement in the program.
“We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details,” NSA spokeswoman Vanee Vines said in an email to AFP.
Sean Sullivan at the Finnish security firm F-Secure said the Kaspersky report appears to point to an NSA division known as ANT, the subject of a 2013 report about backdoors in technology products.
‘Kaspersky’s research paper refers to a threat actor called the ‘Equation group’ whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA’s ANT catalog,” Sullivan said in a blog post Tuesday.
The campaign was able to infect “about 2,000 users per month” with victims in at least 30 countries, the report said. The most infections were found in Iran, Russia, Pakistan and Afghanistan.
Other countries where infections were found included Syria, Kazakhstan, Belgium, Somalia, Libya, France, Yemen, Britain, Switzerland, India and Brazil.
A unique element of this campaign was its ability to install malware in computer hard drives made by major manufacturers including Western Digital, Seagate, Samsung and Maxtor, according to the researchers.
The spyware was placed in “a set of hidden sectors (or data storage) of the hard drive,” which remain in place even after a disk is reformatted or an operating system reinstalled, Kaspersky said.
Kaspersky researcher Serge Malenkovich said by implanting malware into hard drive “firmware,” it becomes “invisible and almost indestructible.”
“This is one of the long-anticipated scary stories in computer security — an incurable virus that persists in computer hardware forever was considered an urban legend for decades,” he said in a blog post.
But because this scheme is complicated to execute, he noted that “even the Equation group itself probably only used it a few times.”
Kaspersky’s researchers said in a blog post that the malware was also inserted in CDs from a 2009 scientific conference, potentially exposing the computers of dozens of international scientists.
“It is not known when the Equation group began their ascent. Some of the earliest malware samples we have seen were compiled in 2002; however, their C&C (command and control) was registered in August 2001,” the researchers said.
“Other C&Cs used by the Equation group appear to have been registered as early as 1996, which could indicate this group has been active for almost two decades.”
US officials have not commented on Stuxnet, but researchers including those at Kaspersky have said the virus — believed to have been developed by the United States or Israel to contain threats from Iran — dates back at least to 2007.