Destroying your hard drive is the only way to stop the super-advanced Equation malware - henrickshielturry

A cyberespionage group with a toolset similar to ones used aside U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia, utilizing a startlingly advanced form of malware that is impossible to remove once it's infected your PC.

Kaspersky Science lab released a report Monday that aforementioned the tools were created aside the "Equation" group, which IT stopped pint-sized of linking to the U.S. National Security Agency.

The tools, exploits and malware used away the group—named after its penchant for encryption—have strong similarities with NSA techniques delineated in top-secret documents leaked in 2022.

Countries hit the most by Equating include Iran, Russia, Pakistan, Afghanistan, Republic of India and China. Targets in those countries enclosed the military, telecommunications, embassies, politics, research institutions and Islamic scholars, Kaspersky aforesaid.

Infirm firmware

Kaspersky's virtually striking finding is Par's ability to taint the firmware of a hard drive, or the low-level code that acts every bit an port between ironware and software.

The malware reprograms the Winchester drive's microcode, creating hidden sectors on the drive that posterior only be accessed through a secret API (application programming user interface). Once installed, the malware is impossible to remove: disc formatting and reinstalling the OS doesn't touch on it, and the secret store sector stiff.

"Theoretically, we were aware of this possibility, merely equally far as I know this is the exclusively case ever so that we have seen of an attacker having much an improbably advanced capability," said Costin Raiu, director of Kaspersky Lab's global research and analysis team, in a phone interview Monday.

equation 1 — A mathematical group of cyberspies called Equation that uses akin techniques as the NSA has struck leastwise 30 countries exploitation never-in front-seen malware that infects fixed disk drives.

Drives made by Seagate Applied science, Western Digital Technologies, Hitachi, Samsung Electronics and Toshiba can be modified by 2 of Equivalence's hard disc drive malware platforms, "Equationdrug" and "Grayfish."

The story said Equation has knowledge of the drives that goes way beyond world documentation discharged by vendors.

Equation knows sets of unique ATA commands ill-used by hard ram vendors to format their products. All but ATA commands are public, as they comprise a authoritative that ensures a disk drive is compatible with well-nigh some sort of computer.

But in that respect are undocumented ATA commands used by vendors for functions much as intrinsical storage and error correction, Raiu said. "In essence, they are a closed operating system," he said.

Obtaining so much specific ATA codes would possible require access code to that documentation, which could cost much of money, Raiu aforesaid.

The power to reprogram the firmware of just one charitable of drive would be "incredibly complex," Raiu. Being able to do that for umpteen kinds of drives from umpteen brands is "close to impossible," he said.

"To be honest, I don't think on that point's any other group in the world that has this capability," Raiu said.

It appears Equation has been out-of-the-way, far ahead of the security industry. It's near impossible to detect this kinda meddling, Raiu aforementioned. Reflashing the drive, Oregon replacing its firmware, is as wel not foolproof, since some types of modules in several types of firmware are persistent and can't be reformatted, helium aforementioned.

Relinquished the overlooking valuate of this exploitation proficiency, Equality rattling selectively deployed it.

"During our explore, we've only identified few victims who were targeted by this," Kaspersky's report same. "This indicates that it is probably only kept for the well-nig precious victims or for some very unusual fortune."

Fanny worm

Another of Kaspersky's provocative findings is Fanny, a computer wriggle created in 2008 that was victimised against targets in the Middle Due east and Asia.

To infect computers, Fanny used 2 zero-day exploits—the term for a software attack that uses an unacknowledged software vulnerability—that were also coded into Stuxnet, Kaspersky said. Stuxnet, also a Windows worm, was utilised to sabotage Iran's U enrichment trading operations. It is thought to be a joint contrive between the U.S. and Israel.

It's unlikely the use of the same zero-years was a coincidence. Kaspersky wrote that the similar habituate of the vulnerabilities way that the Equation group and the Stuxnet developers are "either the similar or working closely together."

"They are definitely connected," Raiu aforementioned.

Both Stuxnet and Fanny were designed to permeate "air-gapped" networks, or those isolated from the Internet, Kaspersky aforementioned.

Man midmost

The Equation group also used "interdiction" techniques similar to those utilized past the NSA systematic to deliver despiteful software to targets.

Kaspersky represented how much participants of a scientific conference held in Houston later received a Cardinal-ROM of materials. The CD restrained two zero-day exploits and a seldom-seen malware doorstop nicknamed "Doublefantasy."

It is unknown how the CDs were tampered with or replaced. "We do not believe the league organizers did this along purpose," Kaspersky said. But such a combination of exploits and malware "don't end informed a CD by accident," it same.

The NSA's Office of Made-to-order Access Trading operations (TAO) specializes in intercepting deliveries of new computer equipment, one of the most successful methods of tapping into computers, wrote Der Spiegel in December 2022, citing a top secret document.

The German publication was one of respective that had access to tens of thousands of spy agency documents leaked by former NSA contractor Edward V Snowden.

Kaspersky unclothed the trail of the Equation group after investigating a computer belonging to a search institute in the Middle East that appeared to be the Typhoid Mary for advanced malware.

Raiu said the machine had French, Russian and Spanish APT (advanced persistent threat) samples happening it among others, showing it had been targeted by many groups. It also had a strange malicious driver, Raiu said, which upon investigating lead to the extensive command-and-control infrastructure used away Equation.

Kaspersky analysts found to a higher degree 300 domains connected with Equation, with the oldest one registered in 1996. Some of the domain name registrations were out-of-pocket to expire, so Kaspersky registered around 20 of them, Raiu said.

Most of the domain names aren't used by Par anymore, he aforementioned. But trinity are withal astir. The bodily process, nonetheless, doesn't lend much of a clue As to what Equality is rising to these days, as the aggroup changed its manoeuvre in late 2022.

"Those three [domains] are identical interesting," Raiu said. "We just don't know what malware is being used."

Source: https://www.pcworld.com/article/431905/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html

Posted by: henrickshielturry.blogspot.com