Photographer: Simon Dawson/Bloomberg

Spying Campaign Bearing NSA's Hallmark Found Infecting Thousands of Computers

A sophisticated spying campaign infected tens of thousands of computers worldwide with surveillance software, some embedded in hard drives, according to a report from a cybersecurity company that points toward the U.S. National Security Agency.

The malware was found in 30 countries -- including Iran, Russia, China, Afghanistan and Pakistan -- and targeted governments and diplomatic institutions, military, Islamic activists and key industries such as telecommunications, aerospace, energy, financial institutions and oil and gas, Kaspersky Lab Inc., a Moscow-based cybersecurity company, said in a report released over the weekend.

The group’s ability to infect hard-drive firmware “exceeds anything we have ever seen before,” the company said. Kaspersky named the perpetrators the Equation Group.

Kaspersky didn’t explicitly identify the group as being affiliated with the NSA. However, given its sophistication and activities, the group must be backed by a government agency such as the NSA or the intelligence services of Britain, Russia or China, said Costin Raiu, director of Kaspersky’s global research and analysis team.

No Theft

“To achieve this level of sophistication you need a lot of resources and money,” Raiu said in a phone interview. “We are not seeing any kind of obvious financial theft associated with this operation so they have to be nation-state sponsored.”

The group also used malware that was later found to be part of the Stuxnet computer worm, used in 2010 to cripple Iran’s nuclear program and is widely believed to have been deployed by Israel and the NSA.

Vanee Vines, an NSA spokeswoman, declined to comment on the report or discuss any details about spying programs.

U.S. intelligence agencies use techniques identified in the report, such as implanting malware on hard-drive firmware, to go after a limited number of high-value targets judged to be a threat to national security, according to two U.S. officials who weren’t authorized to speak on the record.

Snowden Leak

The NSA intensified its communications surveillance programs after the Sept. 11, 2001, terrorist attacks on New York and Washington. Some details were disclosed in classified documents leaked by fugitive former contractor Edward Snowden, unleashing an international uproar. Congress has considered but failed to pass legislation to curb the NSA’s collection of bulk telephone calling and other electronic data.

The Equation Group is “one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen,” Kaspersky said.

The firm’s researchers found malware used to infect hard drives on two computers -- one in 2010 and another in 2013, Raiu said.

Kaspersky last observed the group attempt an attack at the end of 2014, which wasn’t successful, Raiu said. It’s possible the group has since changed its tactics to avoid detection, he said. “We’re only seeing a very small part of the big picture,” he said.

There are several other ways the group infects computers, including through CD-Roms, USB sticks and Web-based exploits, Kaspersky said in the report. The most sophisticated weapon in the group’s arsenal, however, is the ability to infect the hard drives. Kaspersky said the spy code was found in products made by Western Digital Technologies Inc., Samsung Electronics Co. and Seagate Technology Plc.

Seagate Encryption

Western Digital is reviewing the technical findings of the report and takes “such threats very seriously,” said a company spokesman, Steve Shattuck, in an e-mail.

“Prior to the report, we had no knowledge of the described cyber-espionage program,” he said. “The integrity of our products and the security of our customers’ data are of paramount importance to us. We are constantly evaluating how we can better protect the integrity of our drives and customer data.”

Clive Over, a spokesman for Seagate, said the company has no specific knowledge of any third-parties accessing its drives.

“Seagate is absolutely committed to ensuring the highest levels of security of the data belonging to our users,” Over said. “For over seven years Seagate has been shipping drives offering industry-leading levels of self encryption, while putting in place secure measures to prevent tampering or reverse engineering of its firmware and other technologies.”

Adam Yates, a spokesman for Samsung, didn’t respond to a request for comment on the report.

Tailored Access

Computer products also appeared to be intercepted while being shipped and implanted with malware, Kaspersky said. A little-known unit within the NSA known as Tailored Access Operations has covertly intercepted computers, routers and software being shipped in order to install spying tools allowing for the secret surveillance of targets, according to one document leaked by Snowden.

Kaspersky said the group behind the surveillance tools is “a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996.”

Facing a backlash over NSA spying, President Barack Obama in January 2014 announced some limits to surveillance programs, including restrictions on accessing phone records and using the intercepted communications of foreigners. Obama also issued Presidential Policy Directive 28, giving intelligence agencies one year to come up with additional changes.

Spying Limits

The Obama administration announced the additional changes last month, including that the National Security Council will have greater insight into the collection of foreign intelligence and intelligence agencies will purge material that isn’t relevant to national security after five years.

“As we have affirmed publicly many times, we continue to abide by the commitments” the president made in a speech and directive last year, Vines said in an e-mailed statement.

“The U.S. government calls on our intelligence agencies to protect the United States, its citizens and its allies from a wide array of serious threats -- including terrorist plots from al-Qaeda, ISIL and others; the proliferation of weapons of mass destruction; foreign aggression against ourselves and our allies; and international criminal organizations.”

Before it's here, it's on the Bloomberg Terminal.
LEARN MORE