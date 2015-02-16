(Adds comment from White House advisor in paragraphs 10-11)
By Joseph Menn
SAN FRANCISCO Feb 16 The U.S. National Security
Agency has figured out how to hide spying software deep within
hard drives made by Western Digital, Seagate, Toshiba and other
top manufacturers, giving the agency the means to eavesdrop on
the majority of the world's computers, according to cyber
researchers and former operatives.
That long-sought and closely guarded ability was part of a
cluster of spying programs discovered by Kaspersky Lab, the
Moscow-based security software maker that has exposed a series
of Western cyberespionage operations.
Kaspersky said it found personal computers in 30 countries
infected with one or more of the spying programs, with the most
infections seen in Iran, followed by Russia, Pakistan,
Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets
included government and military institutions, telecommunication
companies, banks, energy companies, nuclear researchers, media,
and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)
The firm declined to publicly name the country behind the
spying campaign, but said it was closely linked to Stuxnet, the
NSA-led cyberweapon that was used to attack Iran's uranium
enrichment facility. The NSA is the agency responsible for
gathering electronic intelligence on behalf of the United
States.
A former NSA employee told Reuters that Kaspersky's analysis
was correct, and that people still in the intelligence agency
valued these spying programs as highly as Stuxnet. Another
former intelligence operative confirmed that the NSA had
developed the prized technique of concealing spyware in hard
drives, but said he did not know which spy efforts relied on it.
NSA spokeswoman Vanee Vines declined to comment.
Kaspersky published the technical details of its research on
Monday, which should help infected institutions detect the
spying programs, some of which trace back as far as 2001. (bit.ly/17bPUUe)
The disclosure could further hurt the NSA's surveillance
abilities, already damaged by massive leaks by former contractor
Edward Snowden. Snowden's revelations have hurt the United
States' relations with some allies and slowed the sales of U.S.
technology products abroad.
The exposure of these new spying tools could lead to greater
backlash against Western technology, particularly in countries
such as China, which is already drafting regulations that would
require most bank technology suppliers to proffer copies of
their software code for inspection.
Peter Swire, one of five members of U.S. President Barack
Obama's Review Group on Intelligence and Communications
Technology, said the Kaspersky report showed that it is
essential for the country to consider the possible impact on
trade and diplomatic relations before deciding to use its
knowledge of software flaws for intelligence gathering.
"There can be serious negative effects on other U.S.
interests," Swire said.
TECHNOLOGICAL BREAKTHROUGH
According to Kaspersky, the spies made a technological
breakthrough by figuring out how to lodge malicious software in
the obscure code called firmware that launches every time a
computer is turned on.
Disk drive firmware is viewed by spies and cybersecurity
experts as the second-most valuable real estate on a PC for a
hacker, second only to the BIOS code invoked automatically as a
computer boots up.
"The hardware will be able to infect the computer over and
over," lead Kaspersky researcher Costin Raiu said in an
interview.
Though the leaders of the still-active espionage campaign
could have taken control of thousands of PCs, giving them the
ability to steal files or eavesdrop on anything they wanted, the
spies were selective and only established full remote control
over machines belonging to the most desirable foreign targets,
according to Raiu. He said Kaspersky found only a few especially
high-value computers with the hard-drive infections.
Kaspersky's reconstructions of the spying programs show that
they could work in disk drives sold by more than a dozen
companies, comprising essentially the entire market. They
include Western Digital Corp, Seagate Technology Plc
, Toshiba Corp, IBM, Micron Technology
Inc and Samsung Electronics Co Ltd.
Western Digital, Seagate and Micron said they had no
knowledge of these spying programs. Toshiba and Samsung declined
to comment. IBM did not respond to requests for comment.
GETTING THE SOURCE CODE
Raiu said the authors of the spying programs must have had
access to the proprietary source code that directs the actions
of the hard drives. That code can serve as a roadmap to
vulnerabilities, allowing those who study it to launch attacks
much more easily.
"There is zero chance that someone could rewrite the [hard
drive] operating system using public information," Raiu said.
Concerns about access to source code flared after a series
of high-profile cyberattacks on Google Inc and other
U.S. companies in 2009 that were blamed on China. Investigators
have said they found evidence that the hackers gained access to
source code from several big U.S. tech and defense companies.
It is not clear how the NSA may have obtained the hard
drives' source code. Western Digital spokesman Steve Shattuck
said the company "has not provided its source code to government
agencies." The other hard drive makers would not say if they had
shared their source code with the NSA.
Seagate spokesman Clive Over said it has "secure measures to
prevent tampering or reverse engineering of its firmware and
other technologies." Micron spokesman Daniel Francisco said the
company took the security of its products seriously and "we are
not aware of any instances of foreign code."
According to former intelligence operatives, the NSA has
multiple ways of obtaining source code from tech companies,
including asking directly and posing as a software developer. If
a company wants to sell products to the Pentagon or another
sensitive U.S. agency, the government can request a security
audit to make sure the source code is safe.
"They don't admit it, but they do say, 'We're going to do an
evaluation, we need the source code,'" said Vincent Liu, a
partner at security consulting firm Bishop Fox and former NSA
analyst. "It's usually the NSA doing the evaluation, and it's a
pretty small leap to say they're going to keep that source
code."
Kaspersky called the authors of the spying program "the
Equation group," named after their embrace of complex encryption
formulas.
The group used a variety of means to spread other spying
programs, such as by compromising jihadist websites, infecting
USB sticks and CDs, and developing a self-spreading computer
worm called Fanny, Kasperky said.
Fanny was like Stuxnet in that it exploited two of the same
undisclosed software flaws, known as "zero days," which strongly
suggested collaboration by the authors, Raiu said. He added that
it was "quite possible" that the Equation group used Fanny to
scout out targets for Stuxnet in Iran and spread the virus.
(Reporting by Joseph Menn; Editing by Tiffany Wu)