“The Equation Group”: NSA Has Been Able to Exploit Most Hard Drive Firmware for Years, Wiping Drives Does Nothing
February 17th, 2015Via: Kaspersky (.pdf):
10. What is the most sophisticated thing about the EQUATION group?
Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group’s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware.
We were able to recover two HDD firmware reprogramming modules from the EQUATIONDRUG and GRAYFISH platforms. The EQUATIONDRUG HDD firmware reprogramming module has version 3.0.1 while the GRAYFISH reprogramming module has version 4.2.0. These were compiled in 2010 and 2013, respectively,
if we are to trust the PE timestamps.
…
The EQUATION group HDD firmware reprogramming plugin has the internal ID 80AA, which is a unique number in the groups’ plugin ID table. This allows other plugins to identify and use it as required. Both 32- and 64-bit versions of the plugin were found. The plugin supports two main functions: reprogramming the HDD firmware with a custom payload from the EQUATION group, and providing an API into a set of hidden sectors (or data storage) of the hard drive.
…
The EQUATION group’s HDD firmware reprogramming module is extremely rare. During our research, we’ve only identified a few victims who were targeted by this module. This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances.
More: Equation: The Death Star of Malware Galaxy
SpritesMod had a very excellent series of articles about how he reverse engineered his way into the firmware of a Western Digital HDD. Apparently the processing memory/storage resources there were enough for him to get a linux kernel up and running.
So that brings an entirely new twist to the phrase “I’m going to install linux on my hard drive!”
http://spritesmods.com/?art=hddhack