Archives‎ > ‎

NSA & CIA target Kasperky, for revealing they're spying in Your computer

(1) Note from Editor (Peter Myers): You need Anti-virus software, but it is also dangerous

(2) NSA & GCHQ have been targeting antivirus companies

(3) CIA wrote code to Impersonate Russian Anti-Virus Company Kaspersky

(4) Bitcoin created by CIA - Kaspersky

(5) Kaspersky exposes NSA spy software deep within Firmware of hard drives (2015)

(6) Kaspersky discovered that Israel had been spying on 2015 Iran talks

(7) Kaspersky reveals Flame Virus was Israeli; it used Jerusalem time, inactive during Sabbath

(8) Kaspersky Lab finds hotels hosting 2015 Iran talks were targeted by Virus used by Israeli spies - WSJ

(9) Cyberattacks Against Iran Are Part Of Joint US-Israeli Offensive

(10) How the NSA’s Firmware Hacking Works

(1) Note from Editor (Peter Myers): You need Anti-virus software, but it is also dangerous

In the 1980s, I was an IT professional on mainframe computers. I was an expert in Change Control software, including Backup and Archive - that's why I take Backups so seriously. I was also Principal EDP Auditor at the Department of Finance in Canberra. Let me warn you. You need Anti-virus software, but it is also dangerous. Beware any software from Israel, eg softonic - it downloads malware. For Macs, beware any site which recommends or downloads Mackeeper or Clean My Mac; only use Onyx - it is safe. I don't know the Windows equivalents, but shonky "cleaning" software is commonly used to install malware. Anti-virus software can compromise your computer. Eset is safe - that's what I use. The prominent brands may be co-operating with the NSA, may incorporate NSA code. You would not think so, but Snowden and Assange are not holed up for nothing. Our Governments have become Rogue States.

(2) NSA & GCHQ have been targeting antivirus companies

New Snowden documents reveal the NSA targeted one of the world's biggest security companies

Cale Guthrie Weissman

Jun 23, 2015, 12:23 AM

Newly unearthed documents obtained by The Intercept indicate that the National Security Agency (NSA) as well as the UK’s Government Communications Headquarters (GCHQ) have been targeting the largest antivirus companies using various hacking techniques.

The government agencies used what’s known as software reverse engineering to snoop on security companies, according to the new report. This reportedly allowed them to be able to see data that went in and out of the companies’ networks as well giving them access to some email data. The intent of the program was to remain one step ahead of the biggest antivirus companies, essentially giving the governments intel into the world of vulnerability tracking.

Both the NSA and the GCHQ heavily targeted the Russia-based antivirus company Kaspersky Lab, The Intercept reports, citing documents leaked by NSA whistleblower Edward Snowden.

Targeting antivirus software is highly strategic. Security products often run on operating systems using the highest of computer privileges. If attackers are able to exploit such softwares, it’s possible for the hackers to do even more damage with the elevated control the software grants.

The new documents indicate the NSA was able to gain access to a trove of Kaspersky-specific information, including:

    “Leaky” user information that was being transmitted through the company’s networks;     Private emails sent to the firm;     Lists of new malware that were flagged for Kaspersky

This sort of cyberespionage has become somewhat common, with governments trying to find vulnerabilities in security software and antivirus companies trying to discover state-led attacks.

The report explains:

    Spy agencies seem to be engaged in a digital game of cat and mouse with anti-virus software companies; the U.S. and U.K. have aggressively probed for weaknesses in software deployed by the companies, which have themselves exposed sophisticated state-sponsored malware.

While governments also worked secretly to try to reverse engineer software like Kaspersky’s, they also sought out warrants to have legal backing behind their actions. Given that proprietary security software is protected by copyright, the authorities wanted to ensure legally that their software reverse engineering wouldn’t be considered “a copyright infringement or a breach of contract.”

Kaspersky Lab wrote this statement to The Intercept:

    It is extremely worrying that government organisations would be targeting us instead of focusing resources against legitimate adversaries, and working to subvert security software that is designed to keep us all safe. However, this doesn’t come as a surprise. We have worked hard to protect our end users from all types of adversaries. This includes both common cyber-criminals or nation state-sponsored cyber-espionage operations.

This isn’t the first time Kaspersky Lab is been targeted by hackers. Earlier this month the antivirus company wrote a blog post admitting it had been hacked, although that attack likely came from Israel.

(3) CIA wrote code to Impersonate Russian Anti-Virus Company Kaspersky

NOVEMBER 9, 2017

By Aaron Kesel

WikiLeaks has released part 1 of its new Vault 8 series following its popular and widely distributed Vault 7 series which exposed CIA spyware and malware capabilities.

The new release “will enable investigative journalists, forensic experts, and the general public to better identify and understand covert CIA infrastructure components,” the international whistleblower coalition wrote.

The CIA’s master virus control system known as “Hive” was exposed previously last April by WikiLeaks.

“Described as a multi-platform malware suite, Hive provides “customisable implants” for Windows, Solaris, MikroTik (software used in Internet routers), Linux OS, and AVTech Network Video Recorders, used for CCTV recording.

A 2015 user guide for the malware suite reveals the initial release of Hive was in 2010. The guide goes on to describes the software as having two primary functions – a beacon and interactive shell. Both are designed to provide a starting point for CIA cyber agents to deploy other tools that have been included in the WikiLeaks Vault 7 series release.

The implants communicate via HTTPS with the web server using a cover domain. Each cover domain is connected to an IP address that is hooked into a Virtual Private Server (VPS) provider. This forwards all incoming traffic to a ‘Blot’ server.

The redirected traffic is then examined to see if it contains a valid beacon. If it does, it’s sent to a tool handler, called a “Honeycomb.”

The CIA can then choose to initiate other actions on the targeted computer.

The user guide further details the commands that are available, including uploading and deleting files and executing applications on the computer.

“Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks’ earlier Vault7 series,” WikiLeaks wrote in a press release for the new Vault 8 series.

The release of Hive followed with wide-scale blowback against the CIA when security firm Symantec linked the agency and a hacking group Longhorn to 40 targets in 16 countries with many more expected to come. Longhorn has been active since at least 2011, according to Symantec, infiltrating targets in the financial, telecom, aerospace and natural resources industries. It has the markings of an intelligence-backed state attacker.

“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks,” a Symantec statement said.

The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tacts to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.

The latest leak is the CIA’s master infrastructure source code + logs for that malware control system created by its Embedded Development Branch (EDB.) and expands on the use of obfuscated spoofed tools to implicate another party in a cyber attack.

In March, WikiLeaks also released 676 files code-named ‘Marble’, which detailed CIA hacking techniques and how they can misdirect forensic investigators from attributing viruses, trojans and worms to their agency by using the source code of other languages as a scapegoat – in other words, false flag cyber attacks.

“If the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated,” WikiLeaks said in a statement.

In July, the U.S. Department of Homeland Security (DHS) ordered all government agencies to stop using Kaspersky-related security products and remove them from computers, citing “information security risks presented by the use of Kaspersky products on federal information systems.”

It’s worth noting that Kaspersky was named in the infamous Trump dossier compiled by Fusion GPS under the behest of former spook Christopher Steele. The same firm that was coincidentally connected to a Russian lawyer Natalia Veselnitskaya who set up a meeting with U.S. President Donald Trump’s son, Donald Trump Jr., through Rob Goldstone, a music publicist and personal friend of Trump Jr.

Then there is the fact that Hillary Clinton herself approved the dossier and helped fund it along with the DNC and RNC, according to journalist Edward Klein.

“Hillary approved Podesta’s decision to pay for the dossier by funneling campaign funds through Marc Elias,” the strategist said, referring to the lawyer who represented both the Clinton campaign and the Democratic National Committee.

“The dossier was delivered to the Clinton campaign by the opposition research firm Fusion GPS in the summer of 2016, and Hillary read it and was thrilled by its salacious content,” the strategist continued.

She bragged about it so openly that many of the people in her Brooklyn campaign headquarters were aware of the existence of the dossier. Hillary referred to it as her ‘secret weapon’ that would ‘blow Trump out of the water.’

Former DNC interim head, Donna Brazile, even stated on The View that she knew about the dossier before the presidential election. “I asked one question on November 4th and I was told that I did not need to know and so no, I did not know,” Brazile said.

Is all the propaganda and setups of U.S. president Donald Trump to paint him as colluding with Russia finally falling apart? WikiLeaks seems to play a major part in the destruction of the narrative that alludes to have heavy CIA involvement since the effort is so sophisticated and vast that indicates it was a potential clandestine operation. At some point, people have to start questioning the breadth of coincidences and realize as President Franklin Delano Roosevelt once said: “In politics, there are no accidents,” None Dare Call it Conspiracy, by Gary Allen and Larry Abraham.

(4) Bitcoin created by CIA - Kaspersky

Bitcoin is US Dollar 2.0 Created by CIA | Kaspersky Co-founder

JANUARY 20, 2018

There’s a reason why China, Russia and South Korea are about to shut down Bitcoin operations in their turf. It has been a CIA project from the very beginning. That explains why there’s no transparency as to who actually created it, and the impending shutdown is bringing bitcoin’s market value down to at least 40%, for now.

Natalya Kaspersky claimed that Bitcoin was designed to provide financing for US and British intelligence activities around the world. The expert called the cryptocurrency “dollar 2.0.”

The Bitcoin cryptocurrency was developed by “American intelligence agencies,” Natalya Kaspersky, CEO of the InfoWatch group of companies and specialist in cyber security systems, said during her presentation at ITMO University in St. Petersburg.

Kaspersky was giving a speech on information wars and digital sovereignty. Photos of her presentation entitled “Modern technologies – the basis for information and cyber-wars,” have been published on social media.

“Bitcoin is a project of American intelligence agencies, which was designed to provide quick funding for US, British and Canadian intelligence activities in different countries. [The technology] is ‘privatized,’ just like the Internet, GPS and TOR. In fact, it is dollar 2.0. Its rate is controlled by the owners of exchanges,” one of the slides read.

She also claimed that Satoshi Nakamoto (the pseudonym used by its founder or founders) is the name for a group of American cryptographers.

The presentation also claimed that a smartphone cannot be considered as a personal gadget.

A smartphone “is a remotely controlled device designed for entertainment, work and at the same time for spying on its owner,” according to Kaspersky, who is also the co-founder of Kaspersky Lab.

This revelation is part of the ongoing crackdown on the Deep State worldwide. The move towards the establishment of an AI-based totalitarian control in Western countries requires that everyone must use any of the cryptocurrencies so that their lives could be shut down whenever necessary.

The Deep State has no other choice but to keep using the same scheme of luring ambitious investors in with their teaser about the Bitcoin’s ability to reach $125,000 a piece by 2022, only to bring it down, so the cycle could begin again.

Surely, the real economy has nothing to do with that.

(5) Kaspersky exposes NSA spy software deep within Firmware of hard drives (2015)

Russian researchers expose breakthrough U.S. spying program

By Joseph Menn

SAN FRANCISCO Mon Feb 16, 2015 5:10pm EST

SAN FRANCISCO (Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

NSA spokeswoman Vanee Vines declined to comment.

Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001.

The disclosure could further hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have hurt the United States' relations with some allies and slowed the sales of U.S. technology products abroad.

The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.

Peter Swire, one of five members of U.S. President Barack Obama's Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.

"There can be serious negative effects on other U.S. interests," Swire said.


According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.

Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.

"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.

Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.

Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.

Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.


Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.

Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.

It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.

Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."

According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.

"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."

Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.

The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.

Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

(Reporting by Joseph Menn; Editing by Tiffany Wu)

(6) Kaspersky discovered that Israel had been spying on 2015 Iran talks

'Complete takeover': Israel unleashed one of the world's most sophisticated cyber weapons on the Iran talks

Natasha Bertrand, Michael B Kelley

Jun 11, 2015, 1:52 AM

Six world powers and Iran met again on Wednesday in a bid to reach a preliminary accord on reining in Tehran’s nuclear programme, after failing to agree crucial details such as the lifting of U.N. sanctions by a midnight deadline.

The computers in three luxury hotels that hosted high-stakes negotiations on Iran’s nuclear program were infected with an improved version of one of the world’s most powerful computer viruses, The Wall Street Journal reports.

The discovery of the Duqu virus — a collection of malware used primarily for sensitive intelligence-collection operations — by cybersecurity firm Kaspersky Lab ZAO provides the first solid evidence that Israel had in fact been spying on the talks, a suspicion that was first reported in March 2014.

Kaspersky has not officially named Israel as the source of the attack. But the uncovered virus “was so complex and borrowed so heavily from Duqu that it ‘could not have been created by anyone without access to the original Duqu source code,” according to the Journal and Kaspersky’s report.

Duqu — and malware linked to it — has been used by Israel to spy on Iran in the past, copying blueprints of Iran’s nuclear program. The malware has a variety of functions to suck up information.

“Since Duqu uses root capabilities and exploits vulnerabilities that allows for an elevation of privileges, Duqu can be used to install other code that can keystroke log, record conversations, record video, extract files, track any activity that occurs on the infected Windows PC or laptop,” Jeff Bardin, chief intelligence officer of Treadstone 71, told Business Insider. “This includes the capturing of user ids, passwords, and sensitive files.”

In 2012, Kasperskpy told The New York Times that that it believed that Duqu was created by the same state-sponsored program as the Stuxnet and Flame viruses, which also targeted Iran’s nuclear program.

Stuxnet, a joint U.S.-Israel project, is known for reportedly destroying roughly a fifth of Iran’s nuclear centrifuges by causing them to spin out of control. Flame is a massive program that leaves a backdoor (i.e. Trojan) on computers through which it sucks information from networks by actions Bardin described as functions of Duqu.

“Once the [Duqu] code is installed, most anti-virus software cannot detect or remove this malware,” Bardin said. “Duqu allows for the complete takeover of the target Windows devices.”

Iran, the United States and other world powers are all but certain to miss Monday’s deadline for negotiations to resolve a 12-year stand-off over Tehran’s atomic ambitions, forcing them to seek an extension, sources say. The talks in Vienna could lead to a transformation of the Middle East, open the door to ending economic sanctions on Iran and start to bring a nation of 76 million people in from the cold after decades of hostility with the West.

After intercepting communications between Israeli officials early last year, the White House suspected that Israel had been spying on the negotiations to gather sensitive information that it could then reveal to Congress in the hopes of sinking the deal.

The administration did not elaborate on the tactics used, however, saying only that Israeli officials couldn’t have possibly known certain details surrounding the talks without actually being in the room.

Kaspersky researchers were alerted to Duqu’s resurgence after detecting the virus in their own system earlier this year — it had been there, Kaspersky believes, for at least six months.

The FBI is investigating Kaspersky’s claims, according to the Journal. The firm has declined to name the three European hotels that were targeted.

Nuclear talks were held at the Beau-Rivage Palace in Lausanne, Switzerland, the Intercontinental in Geneva, the Palais Coburg in Vienna, the Hotel President Wilson in Geneva, the Hotel Bayerischer Hof in Munich and Royal Plaza Montreux in Montreux, Switzerland.

(7) Kaspersky reveals Flame Virus was Israeli; it used Jerusalem time, inactive during Sabbath

It Looks Like The Devastating New Virus Ripping Through Iran Was A Joint US-Israel Attack

Michael Kelley

Jun 1, 2012, 2:45 AM

Security researchers have linked the Flame virus to Israel while U.S. computer security experts say that it bears the hallmarks of the National Security Agency (NSA), according to reports from Nicole Perlroth of The New York Times and Robert Windrem of NBC News.Flame is a massive program that leaves a backdoor (i.e. Trojan) on computers through which it sucks information from networks by actions that include recording keystrokes, capturing screen images, remotely changing settings on computers, turning every computer into a listening device, and using Bluetooth to gather data from nearby cell phones and tablets.

The 20 megabyte virus was first discovered over the weekend by Russian cybersecurity firm Kaspersky Lab after a U.N. telecommunications agency asked it to analyse data on malicious software across the Middle East after Iranian reports of a data-wiping virus, according to Reuters.

The highest concentrations of compromised computers were found in Iran, followed by the Palestinian West Bank, Israel, Sudan, Syria and Lebanon. Additional infections have been reported in Hungary, Austria, Russia, Hong Kong, and the United Arab Emirates.

Kaspersky researchers told The New York Times that Flame shares notable features with the Duqu and Stuxnet malware, including exploiting the same flaw in the Windows operating system and that they believe all three viruses were written by the same state-sponsored campaign.

Duqu was a surveillance tool used to copy blueprints of Iran’s nuclear program whereas Stuxnet destroyed roughly a fifth of Iran’s nuclear centrifuges by causing them to spin out of control.

Perlroth reports that Kaspersky researchers tracked the working hours of Duqu’s operators, finding that they coincided with Jerusalem local time and were inactive during the Sabbath (i.e. between sundown on Fridays and sundown on Saturdays) when observant Jews typically refrain from secular work.

A January 2011 report in The New York Times revealed that Stuxnet was tested at Dimona (i.e. the supposed headquarters of Israel’s nuclear weapons program) in addition to other “clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program.”

Cybersecurity experts noted that Flame may have been designed before or at the same time as Duqu (which researchers think was created around August 2007) and Stuxnet (which first appeared in June 2009) because the antivirus maker Webroot first encountered a sample of Flame in December 2007 and Hungarian Laboratory of Cryptography and Systems Security, which first discovered Duqu, told Reuters that Flame may have been active for at least five years and perhaps eight years or more.

(8) Kaspersky Lab finds hotels hosting 2015 Iran talks were targeted by Virus used by Israeli spies - WSJ

Spy Virus Linked to Israel Targeted Hotels Used for Iran Nuclear Talks

Cybersecurity firm Kaspersky Lab finds three hotels that hosted Iran talks were targeted by a virus believed used by Israeli spies

By Adam Entous and Danny Yadron

Updated June 10, 2015 7:50 p.m. ET

When a cybersecurity firm discovered it had been hacked last year by a virus widely believed to be used by Israeli spies, it wanted to know who else was on the hit list.

(9) Cyberattacks Against Iran Are Part Of Joint US-Israeli Offensive

Obama Administration Admits Cyberattacks Against Iran Are Part Of Joint US-Israeli Offensive

Michael Kelley

Jun 2, 2012, 10:48 AM

The Obama Administration has admitted for the first time that it is collaborating with Israel to develop cyberweapons to use against Iran, reports David E. Sanger of The New York Times.The report, adapted from Sanger’s forthcoming book and based on interviews with current and former American, European and Israeli officials involved in the program as well as outside experts, provides a detailed (albeit incomplete) account of the joint U.S.-Israeli cyber tactics applied against Iran.

The cyberwar initiative, code-named Olympics Games, began under the Bush Administration in 2006 and has been progressively accelerated since Barack Obama took office.

Administration officials revealed to Sanger that the Stuxnet virus was developed by the National Security Agency (NSA) and Israel’s Unit 8200 (i.e. Israel’s secretive cyber arm) to “become the attacker from within” Iran’s nuclear facilities.

Officials also said that the recent Flame virus was not part of Olympic Games and declined to say whether Flame was a U.S.-Israeli attack, but the nature of the virus and sequence of events imply that it is part of the cyber offensive against Iran.

The first step in the cyberwar, according to Sanger, was to develop a “beacon” that could be inserted into Iranian computers to “draw the equivalent of an electrical blueprint of the Natanz plant” (i.e. an underground site where Iran was enriching uranium) and send messages to the NSA headquarters that would describe “the structure and daily rhythms of the enrichment plant.”

That fits the description of the Duqu virus, which cybersecurity researchers describe as “a surveillance tool used to copy blueprints of Iran’s nuclear program” that was created around August 2007.

As Duqu provided the NSA with blueprints of how the centrifuges at Natanz were connected to its electronic directories, the NSA and Unit 8200 began developing Stuxnet — which, according to cybersecurity experts, first appeared in June 2009 and eventually destroyed roughly a fifth of Iran’s nuclear centrifuges by causing them to spin out of control.

Cybersecurity researchers believe that Flame – a massive surveillance virus that collects information from networks in numerous ways (including using Bluetooth to gather data from nearby cell phones and tablets) — may have been designed before or at the same time as Duqu.

Flame was first encountered in 2007 and may have been active for at least five years and perhaps eight years or more, according to the Hungarian Laboratory of Cryptography and Systems Security (which first discovered Duqu).

Yesterday we reported that Kaspersky Lab, the Russian cybersecurity firm that discovered Flame last weekend, told The New York Times that the 20 megabyte program shares notable features with the Duqu and Stuxnet malware and that they believe all three viruses were written by the same state-sponsored campaign.

The administration has also “discussed the irony, more than once” of how American acknowledgment of employing cyberweapons and drones “could enable other countries, terrorists or hackers to justify their own attacks.”

This acknowledgment, perhaps, indirectly gives credence the notion that Obama’s drone war is radicalizing people in Yemen and providing al-Qaeda in the Arabian Peninsula (AQAP) with opportunities to recruit people who want revenge for untold civilian casualties.

Sanger ends the article by pointing out the primary consequence of initiating a cyberwar:

Mr. Obama has repeatedly told his aides that there are risks to using — and particularly to overusing — the weapon. In fact, no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

Spy Virus Linked to Israel Targeted Hotels Used for Iran Nuclear Talks Cybersecurity firm Kaspersky Lab finds three hotels that hosted Iran talks were targeted by a virus believed used by Israeli spies By Adam Entous and Danny Yadron Updated June 10, 2015 7:50 p.m. ET

When a cybersecurity firm discovered it had been hacked last year by a virus widely believed to be used by Israeli spies, it wanted to know who else was on the hit list.

(10) How the NSA’s Firmware Hacking Works

Kim Zetter


How the NSA’s Firmware Hacking Works and Why It’s So Unsettling

One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen.

The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered.

It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted.

Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption.

Here’s what we know about the firmware-flashing module.

How It Works

Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides.

When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish.

The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system.

Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one.

The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered.

The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba.

“You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.”

Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation.

Hidden Storage Is the Holy Grail

The revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised.

The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal.

This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption.

“Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says.

Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk.

Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications.

“[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.”

Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.”

They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space.

An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.”

Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage.

To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “[b]y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail.

One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem.

NSA Interns to the Rescue

The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the “Covert Storage” project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk.

“The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,” the document reads. “It would report this size back to the operating system and not provide any way to access the additional space.” Only one partition of the drive would be visible on the partition table, leaving the other partitions—where the hidden data was stored—invisible and inaccessible.

The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command.

How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out.

Peter Myers