Three stories have been received which describes Kaspersky's malware analysis and their findings. Perhaps of equal interest is that all three reports suggest that the malware may be linked to the NSA. One also notes CDs sent through the USPS (United States Postal Service) seem to have been intercepted and replaced with modified CDs. I'll let you draw your own conclusions and I look forward to the ensuing discussion.
The Newly-Discovered "Equation Group" Deemed World's Top Hackers
Kaspersky declined to publicly name the country behind the spying campaign, but Wired points some possible NSA connections:
Although the researchers have no solid evidence that the NSA is behind the tools and decline to make any attribution to that effect, there is circumstantial evidence that points to this conclusion. A keyword—GROK—found in a keylogger component appears in an NSA spy tool catalog leaked to journalists in 2013. The 53-page document details—with pictures, diagrams and secret codenames—an array of complex devices and capabilities available to intelligence operatives. The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions—they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.
[More after the break.]
In not so surprising news the NSA has yet another method in its IT bag of tricks. From the article:
The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.
That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.
My first thoughts were how can I even protect against this?
Now might be a good time for a manufacturer to checksum and sign all firmware versions they release of their drives and provide utilities for validating said checksums.
That being said if they are a US-based supplier how can we even be certain they haven't been "asked" to distribute (and "forget") it by default for their "international" customers.
How “Omnipotent” Hackers Tied to NSA Hid for 14 Years—and Were Found at Last
In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn't know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail.
It wasn't the first time the operators—dubbed the "Equation Group" by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group's extensive library. (Kaspersky settled on the name Equation Group because of members' strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.)
Related Stories
Dan Goodin of Ars Technica writes about a newly-discovered hacking platform recently revealed by Kaspersky.
They are labeling the operators 'Equation Group,' and multiple zero-day exploits in the malware kit appear to be related to those which were used by Stuxnet to hack Iran's Natanz nuclear facility in 2010. It is by far the most advanced malware ever discovered, going so far as to flash malicious firmware on the hard disks of no fewer than 12 vendors. Much of the malware was distributed through usual channels such as Java vulnerabilities or ad networks, but it was even found on CDs which were mailed to attendees of a conference in Houston in 2009 which were intercepted and modified to deliver the malicious payload.
The sophistication of the operations and the malware itself leave little doubt that Equation Group is is a state-sponsored organization. The scariest part of it might be that the operation is over 14 years old and unfortunately, much of the malware is yet to be reverse-engineered. Kaspersky has been reaching out to white hats for further assistance in determining the nature and capabilities of the software.
Recently, we have reported several claims (here, here, and here) made by the Russian security software manufacturer Kaspersky Lab that they have discovered 'evidence' of NSA involvement in malware. Now, Bloomberg claims that the Moscow-based computer security company has effectively been taken over by the FSB. Company founder Eugene Kaspersky was educated at a KBG-run school, which was never a secret, but the new report describes a much more current and intimate connection.
Kaspersky Lab is denying the allegations, as one might expect, and counter with the statement:
It's not as though the US has clean hands in all of this. The CIA has funded the development of security software firms like FireEye, Veracode, and Hytrust though its In-Q-Tel investment fund, and American firms have been noticeably silent when it comes to investigating suspected US state-sponsored malware.
We are unlikely to hear the truth from either side, nor should we realistically expect a confession from the NSA or the FSB. Nevertheless, it is possible that the security industries on both sides are 'guilty' of looking after their respective government's interests and what we are seeing is just another day in the world of intelligence collection and cyber-security, the world of claim and counter-claim.
[Editor's Comment: Typo fixed at 15:39 UTC]
(Score: 4, Informative) by Lunix Nutcase on Tuesday February 17 2015, @06:55PM
One also notes CDs sent through the USPS (United States Postal Service) seem to have been intercepted and modified.
The CD itself was not modified. What was received was a malicious CD in place of the original CD. From the Ars article:
"It would be very easy to trace the attack back to the organizers and point them out, and this could in turn result in some very serious diplomatic incidents," Raiu said. "Our best guess is that the organizers didn't act in a malicious way against the participants, but [that] some of the CD-ROMs on their way to the participants were intercepted and replaced with the malicious variants."
(Score: 3, Funny) by janrinok on Tuesday February 17 2015, @07:01PM
(Score: 1, Interesting) by Anonymous Coward on Tuesday February 17 2015, @08:09PM
Isn't it a federal offense to intercept/interfere with mail? Not that the NSA would care about breaking yet another law, but maybe there's a very slim chance that you might have a prosecutor somewhere with the balls to charge them with something someday.
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @08:13PM
It was mail to foreigners. I doubt the Federal courts will care.
(Score: 3, Informative) by frojack on Wednesday February 18 2015, @01:08AM
And The CDs affected Windows Only. (natch).
Many Conferences hire service bureaus that promise quick duplication and mailing, and these businesses cluster around large convention centers, because there is a constant business flow into these places.
It would be easy to low-bid the duplication job, then hack the CD master and then Duplicate it. The postal service would never be involved. CD burners, even ones that will print the top of the CD are pretty inexpensive.
No, you are mistaken. I've always had this sig.
(Score: 2) by Hairyfeet on Wednesday February 18 2015, @06:35PM
Are you forgetting Stuxnet? A state actor can target ANY OS, and Linux is just as vulnerable to the most common attack vector [geekzone.co.nz], the user, as any other OS. If you do not think that happens in the wild you might want to look up the KDELook bug or Ubuntu theme bug, or read this nice article over on Ars [arstechnica.com] about what a successful Linux server malware attack looks like. BTW please note that in the Linux server attack no interaction by the user was required, simply having a non patched package targeted by the malware writers on the server was all that was needed. This is something you haven't seen on the Windows side in many years.
The moral of the story? If a state actor wants to target you your choice of OS will be meaningless, hell you could be running a warehouse filled with eComstation desktops for all the good it will do. The reason why Windows is targeted by the mainstream malware writers is simply because it has the largest share and with malware being a billion dollar business one doesn't spend resources targeting a very small niche. The malware writers viewing targets as a popularity contest has been proven thanks to Android being infested [androidcommunity.com] with the number of malware attacks on Google's OS being several orders of magnitude larger than both iOS and WinPhone.
But this is what makes state actors such a huge threat because with near limitless resources to hire black hats and no profit motive to force a wide net? They can be laser fine with their focus of attack. If your company uses systems with a large number of WD hard drives, Asus boards, and SSDs with Sandforce controllers? They can afford to craft their malware to target those specific brands, even specific models if that is what is required to infect you. this is why the only real defenses are to follow best practices, be aware of every byte that goes in and out of your network, and to do as TFA is doing and publicize the hell out of every instance found cooked up by a state actor so that defenses can be devised to limit the shelf life of their attacks. Thinking that a particular OS or firewall or ISP or whatever will somehow increase your safety? Well if you believe that I have an anti-TLA crystal you may be interested in leasing.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Interesting) by frojack on Wednesday February 18 2015, @07:57PM
Are you forgetting Stuxnet? A state actor can target ANY OS, and Linux is just as vulnerable to the most common attack vector [geekzone.co.nz], the user, as any other OS.
Nice rant, but totally wrong.
Stuxnet was spread by windows, after delivery by USB devices. Its ultimate target was specific process control microchips. WINDOWS.
There are a lot of people that seems to swallow the Microsoft line that Windows is attacked because it is popular, and Linux is ignored, because its not. That appears to be the koolaid you've been drinking.
That you can point to a very small molehill of successful linux pwnage events, while turning your back on Mount Everest of windows vulnerabilities simply proves the rule. This comes up time and time again from the Microsoft apologist camp.
It is WAY harder to infect or install malware on any Nix machine simply because the OS is designed to prevent it out of the box. Add SELinux, and it becomes almost impossible, even with the help of a clueless unprivileged user.
Not seeing an unpatched exploit on windows for many years, you say!?!! And with a straight face!
No, you are mistaken. I've always had this sig.
(Score: 5, Touché) by K_benzoate on Tuesday February 17 2015, @07:03PM
Now might be a good time for a manufacturer to checksum and sign all firmware versions they release of their drives and provide utilities for validating said checksums.
And what's stopping the NSA from issuing an NSL compelling HDD makers to release a firmware/checksum with their rootkit included, and lie about it not being tampered with? They don't care about the law anymore. If a company really, really, pushed back--the owners would be blackbagged by CIA and someone more cooperative would replace them.
Climate change is real and primarily caused by human activity.
(Score: 2, Disagree) by ikanreed on Tuesday February 17 2015, @08:11PM
Because it's not in those agencies' MOs to be overt. You tell the wrong CEO and he accidentally lets it slip to the wrong VP, who publishes a memo, then some idiot who cares tells everyone.
(Score: 2) by tathra on Wednesday February 18 2015, @04:19AM
that's what gag orders are for. nobody is going to accidentally let anything slip if doing so will get them tossed into a dark hole for the rest of their life.
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @06:22AM
well.. smeagol did, and he didn't disclose information about the ring, so...
(Score: 2) by ikanreed on Wednesday February 18 2015, @02:26PM
Guess what? CEOs don't change code.
(Score: 2) by frojack on Wednesday February 18 2015, @12:51AM
And what's stopping the NSA from issuing an NSL compelling HDD makers to release a firmware/checksum with their rootkit included,
Are there any drives manufactured in the USA any more?
No, you are mistaken. I've always had this sig.
(Score: 5, Interesting) by TheGratefulNet on Tuesday February 17 2015, @07:24PM
start from there and THEN design protocols and services.
the old internet and link technolgoies no longer serve use (well). the trust that we (thought) we used to have is now GONE.
what are we going to do about it?
how long will it take to redo all our unsecure protocols and replace with the assumption that the link between A and B is not trustable, or that remote entities are not trustable unless you verify them ?
some people still just don't care, though. I tried my best to convince the eevblog admin, for example, to start allowing https to his site. perhaps the most visited EE (engineering) blog out there, and yet they refuse to consider adding even self-signed certs for https ;(
if a techie blog won't do it (and slashdot wont either, even after all these years) then I guess we, as a people, just are not pissed off ENOUGH by this.
wonder how much longer we'll have to fight this good fight before we finally make real changes?
and I wonder if america can ever undo the loss of trust that the rest of the world used to have in us? I dont' trust american companies and I live here! what does that say about us?
"It is now safe to switch off your computer."
(Score: 2) by kaszz on Tuesday February 17 2015, @11:28PM
This means one has to check everything that affects processing. Be it CPU chip mask, Motherboard BIOS, Harddrive BIOS, USB controllers etc. Your machine boots up with a secure BIOS and gets compromised by the PCI-e connected network card which then initiate a procedure to change the firmware in the harddrive. So that all subsequent boots are compromised..
(Score: 4, Insightful) by francois.barbier on Wednesday February 18 2015, @10:57AM
And that's the point. It's not possible to trust your computer anymore.
Privacy is dead. Freedoms are dying. Humanity is declining.
Thanks USA for ruining the game for everyone.
(Score: 2) by kaszz on Saturday February 21 2015, @03:18AM
Unless you build your own or rearrange parts from existing ones so the environment becomes unfamiliar..
(Score: 3, Informative) by dublet on Wednesday February 18 2015, @04:55PM
If you're on an Intel platform, it comes compromised from the box: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology [wikipedia.org]
"If anyone needs me, I'm in the angry dome. [dublet.org]"
(Score: 2) by kaszz on Saturday February 21 2015, @03:30AM
You'r right but if the AMT is blocked from communicating. It or any person can't establish contact to the machine. For additional security one can block unauthorized booting out of reach for AMT.
(Score: 0, Interesting) by Anonymous Coward on Tuesday February 17 2015, @07:41PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While there are probably some good brains in Kaspersky Lab, it is not a credible source of information about anything. Their business consists in manufacturing and distributing malware under the guise of "security solutions". We know it's malware because we are way past the point where anyone could combine a binary blob with a claim of security in good faith. What the Lab sells as a security product is in fact a spy tool. With 2700+ employees and hundreds of millions of USD in revenue, the Lab is a Russian equivalent of the NSA. It is headquartered in Moscow and it contracts as a snoop and a cracker for the Russian police. ~Anonymous 0x9932FE2729B1D963
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBAgAGBQJU45ixAAoJEJky/icpsdljN/cP/AsZOJlsEIYHd1t4kxRBKdU7
omLTThQcy48h1qzhQlDQeupECRpoaGx3XicGBCksmQXlIKEj10Tt6DkAYDOuApG0
AEo58uZJm53BD75IRW3iow3s491lGnfYmv1mot34xFIozJARtwQy1JKkqvCRBz0x
Ot3GyJp8QPfAFuuj0wLo9YMQjdTd1LUrzWyoeXZCinWbQBTFrYobJUMa5GjvW+Qh
p8lY8DnGlfxayoOTH9DDNK/st7GscNrD5C3wCsFRHmfkyHrcZyWW4MOTT+o8p90h
Yk2TdXdZDk+cmWq2EcVeixnSlriaVEmgOFPQa+WdM2aqNg2A/2kFRsXyhXyAs3yR
yJNFqheBOlmISHRarHhkxUHlNRRhnxV/BFys3Hxf7rCE4+IDbQuxNRw7egYZYhWE
MA82uprUCZIBW77gQNlTd8I1G+6y8xiAWE6jcpJL7M7tf6jWBaEUrp/j79UGa9M+
nbH5LWmQBLy/kXHfKZZ6SQYbDPpn2wPSQSDrUM0Ksb4n2AD2lyQqUOgTeJEMx+xn
FoBcMaBAHwKST3kh8i/pbjIcGXbjQ/TJVAsda/mWRtyez9UWj/YDQB+RIa4Ohmsq
zu+xS/tEgJpBEFIztsQ2zSWzw27EQ9qUvZHVHdqVbruOvMHvDtS3xR6+BPkwsbat
vXjf1pXBhvSYGAKn/Pz8
=yQjI
-----END PGP SIGNATURE-----
(Score: 2, Interesting) by Anonymous Coward on Tuesday February 17 2015, @07:53PM
the entire virus scanning and anti-malware industry depends on the continued development of new threats to maintain market demand for its products
anyone that thinks kapersky, norton, mcafee, etc isn't in some way involved in malware development is a fool
clamav being foss might be an exception due to lack of profit motive
(Score: 5, Interesting) by frojack on Wednesday February 18 2015, @01:24AM
To this, you have to add that although Kaspersky Labs web site says its from England:
Kaspersky Lab, Inc. is a Massachusetts corporation that was founded in 2004 and is a wholly-owned subsidiary of its holding company, Kaspersky Labs Limited, based in the United Kingdom.
most people see right through the ruse, and even Reuters reports that Kaspersky is Russian [reuters.com].
So their slant might be a little different, and their products might even be tainted.
Since I consider Norton and Mcafee to be viruses themselves, I tend to cast a pox on all their houses.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday February 17 2015, @10:11PM
Knowing nothing, but suspecting for a while now, I've assumed that anti-virus software regularly transmitted file names of interest to certain parties via some obfuscated encrypted packet during updates.
what a strange world
(Score: 5, Insightful) by mrchew1982 on Wednesday February 18 2015, @03:14AM
While you are factually 100% correct, you fail to provide evidence that what they claim is untrue. I understand where you're coming from, but this is simply an ad hominem argument without going any further to disprove their claims.
(Score: 2, Interesting) by Anonymous Coward on Tuesday February 17 2015, @09:56PM
They further state: "All C&C domains appear to have been registered through the same two major registrars, using “Domains By Proxy” to mask the registrant’s information." I wonder if non-US companies can bring some force down to "Domains by Proxy" to enlighten who was actually behind these domains?
(Score: 2) by frojack on Wednesday February 18 2015, @02:30AM
Allowing Private Domain registry was a huge mistake in my view. One ought to be able to know where stuff is coming from.
Ancestry.com, mild mannered genealogy tracing site. No problem, right?
Its the Mormon Church in disguise via several shell corporations. Why? There is this odd program the Mormons run to trace everybody's linage. They even offer their services to state government Bureaus of Vital Statistics, just to get their hands on the records. I don't understand it, but they have been doing this stuff for decades.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by khallow on Wednesday February 18 2015, @04:08AM
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @05:31PM
They need the information for proxy baptisms of ancestors.
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @05:51AM
...Where output is printed out or retyped into separate, other online-able computers...unless you are TEMPESTed [wikipedia.org] or considered to be a 'person of interest' by the spooks then its Game Over Man, GAME OVER! [youtube.com]