Dan Goodin of Ars Technica writes about a newly-discovered hacking platform recently revealed by Kaspersky.
They are labeling the operators 'Equation Group,' and multiple zero-day exploits in the malware kit appear to be related to those which were used by Stuxnet to hack Iran's Natanz nuclear facility in 2010. It is by far the most advanced malware ever discovered, going so far as to flash malicious firmware on the hard disks of no fewer than 12 vendors. Much of the malware was distributed through usual channels such as Java vulnerabilities or ad networks, but it was even found on CDs which were mailed to attendees of a conference in Houston in 2009 which were intercepted and modified to deliver the malicious payload.
The sophistication of the operations and the malware itself leave little doubt that Equation Group is is a state-sponsored organization. The scariest part of it might be that the operation is over 14 years old and unfortunately, much of the malware is yet to be reverse-engineered. Kaspersky has been reaching out to white hats for further assistance in determining the nature and capabilities of the software.
Related Stories
Three stories have been received which describes Kaspersky's malware analysis and their findings. Perhaps of equal interest is that all three reports suggest that the malware may be linked to the NSA. One also notes CDs sent through the USPS (United States Postal Service) seem to have been intercepted and replaced with modified CDs. I'll let you draw your own conclusions and I look forward to the ensuing discussion.
The Newly-Discovered "Equation Group" Deemed World's Top Hackers
Kaspersky declined to publicly name the country behind the spying campaign, but Wired points some possible NSA connections:
Although the researchers have no solid evidence that the NSA is behind the tools and decline to make any attribution to that effect, there is circumstantial evidence that points to this conclusion. A keyword—GROK—found in a keylogger component appears in an NSA spy tool catalog leaked to journalists in 2013. The 53-page document details—with pictures, diagrams and secret codenames—an array of complex devices and capabilities available to intelligence operatives. The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions—they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.
[More after the break.]
(Score: 5, Interesting) by Justin Case on Tuesday February 17 2015, @12:06PM
I'm afraid we're rapidly reaching (past?) the point where the default assumption has to be: if you work for the government, you're a criminal.
(Score: 5, Insightful) by goody on Tuesday February 17 2015, @01:57PM
It would be a foolish assumption. Of the tens of thousands of government employees of any particular country, just how many realistically could be involved in this sort of activity? 0.001%? It's a bit of a stretch to say if you work for the government you're a criminal. For every one of these so-called criminals there's undoubtedly a few thousand employees who perform mundane tasks like open mail and stamp forms all day or provide vital services that you depend on.
(Score: 5, Touché) by morgauxo on Tuesday February 17 2015, @02:40PM
"just how many realistically could be involved in this sort of activity"
I guess that depends on where you set the bar for 'involved'. Do you work some sort of supporting roll for a government which does this? Then to a degree (perhaps very small) you are involved. Actually.. do you even have to work for them? Do you pay taxes? Do you vote? If yes to either than by some meaning of 'involved' you ARE involved!
Have a nice day you black hatted criminal!
(Score: 2, Insightful) by Anonymous Coward on Tuesday February 17 2015, @03:25PM
Do you read SoylentNews? Then you are generating traffic and thus income for internet providers who pay taxes. I leave the conclusion as exercise to the reader.
(Score: 1, Redundant) by halcyon1234 on Tuesday February 17 2015, @06:39PM
Sorry, but I don't take orders from fucking filthy criminals like you... you SoylentNews reading shitstain.
Original Submission [thedailywtf.com]
(Score: 4, Insightful) by Thexalon on Tuesday February 17 2015, @04:24PM
I'd say, at minimum, to be involved in a crime you must:
1. Be aware that it is happening.
2. If you are obligated to report that it is happening, fail to do so (unless you are coerced into remaining silent e.g. by threats to your life or family).
3. If you are not obligated to report that it is happening, take some sort of action that supports the criminal undertaking (again, unless you are coerced into that action).
For example, I'd consider it extremely unlikely that the vast majority of people who work for the Department of Agriculture had anything to do with this crime, and thus should be held blameless for it. And those involved solely because they pay their taxes or vote are absolved either by not knowing about it (almost everybody) or being coerced into it because the IRS can take your stuff at gunpoint if you don't pay your taxes (everybody else).
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Funny) by DECbot on Tuesday February 17 2015, @06:37PM
I see where this is going....
I'd say, at minimum, to be involved in a crime you must:
1. Be aware that it is happening.
2. If you are obligated to report that it is happening, fail to do so (unless you are coerced into remaining silent e.g. by threats to your life or family).
3. If you are not obligated to report that it is happening, take some sort of action that supports the criminal undertaking (again, unless you are coerced into that action).
4. ???
5. Profit!
cats~$ sudo chown -R us /home/base
(Score: 3, Insightful) by Nobuddy on Tuesday February 17 2015, @07:29PM
Reporting the government's criminal activity is a crime.
(Score: 1) by art guerrilla on Wednesday February 18 2015, @01:23AM
"1. Be aware that it is happening."
uh oh, that has several bad, bad, bad results:
1. so, as long as the eee-vil is distributed enough so that each participant has only a teeny, tiny piece of (ambiguous?) eee-vil to do, then everything is jake ? ? ? no, i don't think so...
2. so, as long as the eee-vil is buried deep enough, covered up enough, or otherwise goes unnoticed, then we are cool ? ? ? no, i don't think so...
also, i guess it is hardly unexpected, but the original poster who make the flippant and hyperbolic comment OBVIOUSLY not meant to be taken TECHNICALLY seriously, has spawned a bunch of 'but what about a file clerk sorting form 12Q-stroke-Z-dash-49's, are they eee-vil ? ? ?' well, i don't know, maybe form 12Q-stroke-Z-dash-49 is the form which gets you on the extra-judicial ASSASSINATION list, but they don't know that... are they still 'doing eee-vil' ? ? ? (see above)
i think the larger point they were making (AND i feel is getting to the point of validity), is EVERYONE working in the gummint becomes guilty by association of furthering a vast kriminal enterprise (AKA Empire)... i mean, people who are nobodies in real organized crime/mafia scenarios are 'just as guilty' as those who do the actual hits, isn't that how the 'law'' treats them ? ? ? why shouldn't ALL gummint employees be subject to that same line of thinking: they are KNOWINGLY associating with a vast kriminal konspiracy, so it doesn't matter if they are delivering coffee and donuts for them, they are 'just as guilty', richtig ? ? ?
(Score: 2) by Hairyfeet on Tuesday February 17 2015, @04:32PM
Uhhhh...not trying to Godwin but isn't that the same argument used by the Germans after the war?
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by goody on Tuesday February 17 2015, @05:22PM
Yea, and Hitler wore pants and so does the President, so the US government is full of Nazis.
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @06:34PM
Only if the pants are brown.
(Score: 2) by halcyon1234 on Tuesday February 17 2015, @06:40PM
Well then, maybe you shouldn't be so uptight about electing a woman president.
Original Submission [thedailywtf.com]
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @11:19PM
One wonders of whom you might be thinking.
Perhaps yet another warmonger with no real new ideas.
Hillary-orange-pant-suit [gopthedailydose.com]
You folks had a chance to vote for a great woman back in 2012. [wikipedia.org]
A physician who, when she debated Mitt Romney in 2002, beat the pants off of him. [google.com]
...a gal with with actual new ideas. [wikipedia.org]
Jill Stein, Green Party [abetterworld.tv]
Jill Stein, Green Party [somd.com]
Similar deal for 2008. [wikipedia.org]
Cynthia McKinney, Green Party [reopen911.info]
Cynthia McKinney, Green Party [wordpress.com]
-- gewg_
(Score: 2) by Hairyfeet on Tuesday February 17 2015, @08:46PM
You can try to hand wave it away but try reading it again...
"Of the tens of thousands of government employees of any particular country, just how many realistically could be involved in this sort of activity? 0.001%? It's a bit of a stretch to say if you work for the government you're a criminal. For every one of these so-called criminals there's undoubtedly a few thousand employees who perform mundane tasks like open mail and stamp forms all day"
Now are you REALLY gonna try to sit here and argue that isn't ringing ANY bells?
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by goody on Wednesday February 18 2015, @12:16AM
I'm arguing that it's rather inane to claim anyone who works for the government is a criminal, regardless of whatever far-reaching connections you're attempting to make. If you think you can prove that it's reasonable to assume everyone working for the government is a criminal like the OP, have at it.
(Score: 1, Insightful) by Anonymous Coward on Tuesday February 17 2015, @05:29PM
Turn this around: let's say that you're just opening mail and stamping forms for a criminal organization, or you're just the driver for the big honcho...
Will the powers that be consider you as 'involved'? Will they file charges against you?
I am all for reciprocal diplomacy: if you will fuck me over in this way, I too can fuck you over in the same way.
(Score: 2, Interesting) by Stuntbutt on Tuesday February 17 2015, @03:02PM
" I don't trust my government, I don't trust the people who work for my government, and I believe that the evidence suggests that it's irrational to offer such trust."
https://www.popehat.com/2013/08/20/faced-with-the-security-state-groklaw-opts-out/ [popehat.com]
(Score: 3, Insightful) by bradley13 on Tuesday February 17 2015, @05:16PM
Too many people think of government as some sort of independent, objective entity. It isn't. Government is comprised of people, and most people are out for themselves. Perhaps the majority just want to do a halfway decent job and go home at the end of the day. Some small minority is corrupt; those people will abuse government power for their own ends.
In a nutshell: government should not be trusted any more than any other large organization. Indeed, because government has so much power, and hence offers more opportunity for abuse and corruption, we should really trust it less than other organizations.
Everyone is somebody else's weirdo.
(Score: 1) by t-3 on Tuesday February 17 2015, @06:49PM
Have you ever worked a job with easy access to other people's money or things? If you have, you should know that the majority are corrupt and to expect otherwise is idiotic and infantile idealism. Capitalism breeds corruption by making inequality an essential part of life.
(Score: 2) by hoochiecoochieman on Tuesday February 17 2015, @06:17PM
How is this piece of shit modded +5 Insightful? Was Soylent News invaded by 10 year old Republicans?
(Score: 3, Funny) by Anonymous Coward on Tuesday February 17 2015, @12:26PM
Did they do this to the 1541 firmware of the C64 era?
Cause all my secrets are on floppies.
(Score: 2) by WizardFusion on Tuesday February 17 2015, @12:29PM
I might still have one of those somewhere
(Score: 2) by FatPhil on Tuesday February 17 2015, @01:14PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @02:47PM
Dude. 77 x 26 x 128 = 250K, not 72K.
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @12:05AM
The abbreviation for 1000 (kilo) is a lowercase k.
International System of Units#Prefixes [wikipedia.org]
-- gewg_
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @11:12AM
However, 77 × 26 × 128 = 256256 = 250.25 × 1024 = 256.256 × 1000. Since rounding 250.25 gives 250, while rounding 256.256 gives 256, clearly the prefix "K" was not meant to denote 1000 but 1024. And using a lowercase k for 1024 is wrong.
(Score: 3, Touché) by DNied on Tuesday February 17 2015, @02:05PM
You mean secrets? I doubt it.
(Score: 2) by The Archon V2.0 on Tuesday February 17 2015, @10:17PM
There's an MSD SD-2 in my apartment right now. DUAL 5 1/4 floppies, biznitch.
(Score: 5, Informative) by c0lo on Tuesday February 17 2015, @12:37PM
Original Kaspersky Lab report (PDF - 44 pages) [securelist.com]
ZDNET [zdnet.com]: "On Monday at the Kaspersky Labs Security Analyst Summit, the firm unveiled research concerning the existence of a cyberattack team dubbed The Equation Group. The group, which Kaspersky Lab Global Research and Analysis Team (GReAT) members dub the "ancestor" of Stuxnet and Flame operators, has been in operation dating back to 2001 and possibly as early as 1996."
Wired [wired.com]: "The new platforms, which appear to have been developed in succession with each one surpassing the previous in sophistication, can give the attackers complete and persistent control of infected systems for years, allowing them to siphon data and monitor activities while using complex encryption schemes and other sophisticated methods to avoid detection. The platforms also include an innovative module, the likes of which Kaspersky has never seen before, that re-flashes or reprograms a hard drive’s firmware with malicious code to turn the computer into a slave of the attackers."
Business insider citing Reuters [businessinsider.com]: "SAN FRANCISCO (Reuters) – The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives."
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Funny) by Nerdfest on Tuesday February 17 2015, @02:09PM
A coincidence, I'm sure.
(Score: 5, Interesting) by Nerdfest on Tuesday February 17 2015, @03:08PM
I'd like to see the hard drive manufacturers release an open source tool that will allow one to flash, view, and compare firmware on their devices. First one to do this gets my business. I'm guessing non-US governments would be big fans as well.
(Score: 4, Insightful) by halcyon1234 on Tuesday February 17 2015, @06:43PM
Plus an external, physical switch that airgaps the mechanism that writes the firmware.
Original Submission [thedailywtf.com]
(Score: 4, Interesting) by Kilo110 on Tuesday February 17 2015, @12:51PM
I got the same feeling while reading this as when I originally read the snowden leaks. It's not a good feeling.
How does one even guard against this kind of stuff? I imagine stopping use of Windows is a good first step. But what then?
(Score: 5, Informative) by pkrasimirov on Tuesday February 17 2015, @12:58PM
And then you get hit by Intel AMT [wikipedia.org]. Linux won't help on that.
(Score: 3, Informative) by Anonymous Coward on Tuesday February 17 2015, @01:06PM
Also, if your hard drive is infected (and possibly already was before you got it), it will get control before you even decide what operating system to run. It can deliver arbitrary code to be run before the actual boot code. For example a blue pill. [wikipedia.org]
(Score: 2) by c0lo on Tuesday February 17 2015, @12:59PM
Elementary, my dear Watson, use either:
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @04:56PM
Youll need to develope a HDD firewall.
(Score: 3, Interesting) by epitaxial on Tuesday February 17 2015, @02:56PM
If you're that scared then try running non x86 hardware. Use an old UltraSparc with OpenBSD or an IBM Power desktop or Itanium running OpenVMS. At that point they'd have to write software unique to your configuration. Or go back to Smith Corona like the Russians.
(Score: 2) by Freeman on Tuesday February 17 2015, @05:28PM
Use one computer on the Internet. Keep another computer off the Network. Air Gap = Somewhat More Secure. At the least they don't have 24/7 access to your "secure" stuff. You can keep your computer up-to-date with Anti-Virus Updates and other Updates by Burning the Files to CD/DVD/Blu-Ray Disc. Sure, there could be "Ways" to get something off the computer that isn't connected to the Network, but most of those would require you to be a Specific Target. You're probably screwed no matter what, if you are a specific target and you have no idea they are coming.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Insightful) by Anonymous Coward on Tuesday February 17 2015, @12:55PM
The most worrying aspect of this is: I'm not even surprised.
(Score: 2, Insightful) by Anonymous Coward on Tuesday February 17 2015, @01:10PM
why would anyone in their right mind do such a thing? what kind of person do you have to be, to actually implement such a program...
and think that its a good thing?! gawd, it makes me sooo maaaad.
In case it wasnt clear - the american leadership is made out of same shit the soviet leadership was made of.
Bunch of stupid,unwilling to learn, devious alcoholized meatballs that only know and want to play power games... the permanently scared fascists.
In my opinion, its a cultural thing.
From my expirience, pretty much everyone dislikes the managers and rich.
For we all know, that they got to their positions by being obnoxious BASTARDS, by screwing the meek and general unethical behaviour.
So why do you, as a society, glorify the most unethical of the social groups and then act all surprised, when they fuck everybody else over, for some illusory advantage on a battlefield that exists largely in their heads?!
Noo, you give them all opportunities to live and reproduce. And this is the consequence of allowing fucked up extremist ideology (manifest destiny) to colonize the discourse in upper echelons of the civilian society.
Other people, aren't really people to them. For if they were, they wouldn't be doing this.
(Score: 2) by Kilo110 on Tuesday February 17 2015, @01:15PM
"why would anyone in their right mind do such a thing? what kind of person do you have to be, to actually implement such a program..."
Those too short sighted to see the abuse potential and/or too overconfident in their own abilities to "control it"
Both will be proven wrong in time, but by then it'll be too late. I take solace that I'll likely be dead by the time the worst of it happens.
(Score: 2) by kaszz on Tuesday February 17 2015, @02:35PM
Coincides sharply with the 2001 September 11 events. Kind of leaves a trail..
Seems the answer is to isolate the processing unit from storage units and other units that may mess around through non-firewalled channels. Any more explicit ideas?
(Score: 3, Touché) by CoolHand on Tuesday February 17 2015, @02:43PM
...so you're saying it's Al-Queda, right? right? :)
Anyone who is capable of getting themselves made President should on no account be allowed to do the job-Douglas Adams
(Score: 2) by Freeman on Tuesday February 17 2015, @05:33PM
No, he's saying it's the Government. 'cause you know they were the ones who actually blew up the Pentagon, etc... /SARCASM
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Insightful) by francois.barbier on Tuesday February 17 2015, @04:17PM
... that we know about!!!
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @06:37PM
If we don't know about it, it obviously wasn't uncovered.
(Score: 2) by halcyon1234 on Tuesday February 17 2015, @06:44PM
At least SOME people still get to have secrets.
Original Submission [thedailywtf.com]
(Score: 3) by hash14 on Tuesday February 17 2015, @11:08PM
Isn't that what 'ever Uncovered' implies? Barring of course, for example, a pedantic case where an operation was uncovered and then the uncoverer(s) conveniently disappear before the cat gets out of the bag....
(Score: 1, Informative) by Anonymous Coward on Tuesday February 17 2015, @05:03PM
Looking at the name of the file looks like it might be sd cards PXE and compact flash.
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @08:51PM
Seems to be happening more often of late. http://i.imgur.com/pzTl0j1.png%22%20alt=%22Commercial%20Photography%22%3E%3C/a%3E [imgur.com]
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @10:06PM
That seems to be because the site is loading http://stats.soylentnews.org/piwik/piwik.php?idsite=1 [soylentnews.org] from a non-https URL. Assuming the soylentnews.org HTTPS private key hasn't been leaked, that soylentnews.org isn't using a vulnerable TLS implementation, and RSA hasn't been cracked, your HTTPS connection is still secure. Only that single-pixel image is loaded insecurely - so an MITM attacker could, for example, replace it with goatse and get your HTTP cookies (but not cookies restricted to HTTPS).
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @09:07PM
http://hackaday.com/2013/08/02/sprite_tm-ohm2013-talk-hacking-hard-drive-controller-chips/ [hackaday.com]