This story is over 5 years old.


The Only Way You Can Delete This NSA Malware Is to Smash Your Hard Drive to Bits

If you thought Stuxnet was bad, wait until you meet Equation Group, the most sophisticated cyber attack yet group yet.
Kaspersky described the "Equation Group" as "probably one of the most sophisticated cyber attack groups in the world." ​​Photo via Bill Dickinson

Russian security company Kaspersky is calling it one of the most sophisticated features it has ever seen in a piece of malware: the ability to infect not just the files stored on a hard drive, but the firmware controlling the hard drive itself.

Such an exploit could survive a complete hard drive wipe, or the re-installation of an operating system, and "exceeds anything we have ever seen before," the company's researchers wrote in a new re​p​ort.


It's not the sort of infection your typical piece of security software would know how to detect. At the company's Security Analyst Summit in Mexico, a presenter on stage recommended literally destroying an infec​ted disk.

The only way to remove nls_933w.dll #TheSAS2015 #EquationAPT

— Fabio Assolini (@assolini) February 16, 2015

This and other details were revealed on Monday afternoon, alongside fresh evidence that an unnamed "nation state"— ​confirmed by Reuters to be the NSA—has been developing an arsenal of cyberweapons going back as far as 2001. Kaspersky has dubbed its creators the "Equation Group" and describes them as "probably one of the most sophisticated cyber attack groups in the world," and "the most advanced threat actor we have seen."

Kaspersky's researchers discovered several malware platforms used by the Equation Group, with names such as EquationDrug, DoubleFantasy, GrayFish, and Fanny. Much like previously discovered NSA malware such as  ​Stuxnet and Flame, Equation Group's malware platforms can spread between air-gapped computers, ones that aren't connected to the internet, via USB sticks; in other cases, its operators can install new features remotely, using control servers set up across the world.

But other features of the Equation Group squite are more advanced in scale and execution than Kaspersky has seen before.

Of note, the group recovered two modules belonging to EquationDrug and GrayFish that were used to reprogram hard drives to give the attackers persistent control over a target machine. These modules can target practically every hard drive manufacturer and brand on the market, including Seagate, Western Digital, Samsung, Toshiba, Corsair, Hitachi and more. Such attacks have traditionally been difficult to pull off, given the risk in modifying hard drive software, which may explain why Kaspersky could only identify a handful of very specific targets against which the attack was used, where the risk was worth the reward.


But Equation Group's malware platforms have other tricks, too. GrayFish, for example, also has the ability to install itself into computer's boot record—software that loads even before the operating system itself—and stores all of its data inside a portion of the operating system called the registry, where configuration data is normally stored.

EquationDrug was designed for use on older Windows operating systems, and "some of the plugins were designed originally for use on Windows 95/98/ME"—versions of Windows so old that they offer a good indication of the Equation Group's age.

And perhaps the strongest evidence that Equation Group is the NSA comes from Fanny, another malware platform created in 2008. Fanny used two of the same zero day software exploits used by Stuxnet— before Stuxnet. "The similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together," the report reads.

Other interesting revelations in the report include evidence that that the Equation Group apparently re-used a vulnerability first used by China in its 2009 attack against Google, deploying it against government users in Afghanistan. The report also hints at the existence of malware designed to target Mac computers running OS X—something that has not been previously seen in leaked documents attributed to NSA and GCHQ—and an unknown attack launched against users of the Firefox browser accessing Tor.

But malware that can infect hard drives is a whole other level—or should we say, low level—of bad.