Computer World has just published an article that links NSA style cyberspying techniques to a new breed of attack vectors. The ComputerWorld article is located here: http://www.computerworld.com/article/2884938/equation-cyberspies-use-unrivaled-nsa-style-techniques-to-hit-iran-russia.html.
The article stops short of accusing the NSA of being behind all this by calling the perpetrators “The Equation Group,” but the authors make it clear that they believe that is the case. The article itself is based on a report recently released by Kaspersky Labs, “EQUATION GROUP: QUESTIONS AND ANSWERS.”
Rather than relate the entire contents of this article, I will merely cover the highlights. You should most definitely read the articles listed in this post and, for more details, the Kaspersky Labs white paper.
The bottom line is that “The Equation Group” is infecting computers using NSA techniques and a number of different methods, some of which are relatively newly discovered. The attacks appear to be directed at specific national organizations such as Russia, Iran, Pakistan, Afghanistan, India and China, among others.
The attacks use some tried and true vectors, such as worms, viruses, compromised emails, and infected web sites. These tried-and-true vectors are great when used against computers that are connected to the Internet. You should just assume that if a Windows computer is connected to the Internet it is infected.
There are some scary new vectors as well, that enable “The Equation Group” to infect computers not connected to the Internet. One method for introducing malware into computers that are never connected to the Internet is to intercept them in transit, and to infect them before they are installed at their final location.
The primary target is to infect the hard drive firmware. The malware being introduced to these computers is not installed using the old methods of trying to hide it among existing files on the hard drive itself. These new forms are infecting the code that actually runs the hard drive and makes it work. By attacking this firmware, the malware can create hidden space on the hard drive itself in which to store the spyware package that does the actual work of spying on the activities of the computer and its users.
The original malware which introduced and protects the spyware, and the spyware itself cannot be detected by any means in use today. No amount of anti-virus or anti-malware software will ever detect the spyware installed in this manner. It is just not possible. Even a complete wipe of the hard drive cannot expunge this spyware.
One way I can be a bit more secure is that I use Linux. The Kaspersky white paper is clear that this spyware is targeted at Windows computers. Perhaps that only means that the Linux versions have not yet been discovered, but I am reasonably certain that Kaspersky Labs would have announced this also, had it been the case.
It is also important to note that Kaspersky Labs is a Russian security company and that Russia is allegedly one of the targets of these NSA attacks. Russia and Kaspersky have a vested interest in detecting these types of spyware and making them public.
Related articles also appear in the New York Times at http://www.nytimes.com/2015/02/17/technology/spyware-embedded-by-us-in-foreign-networks-security-firm-says.html and Huffington post at http://www.huffingtonpost.com/2015/02/16/nsa-computer-spying_n_6694736.html.
You can download the original Kaspersky white paper from here: http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf