Archives‎ > ‎

NSA spyware within hard drives survives military-grade disk wiping and formatting

(1) Russian Kaspersky researchers expose NSA spyware within hard drives
(2) NSA spyware within hard drives survives military-grade disk wiping
and formatting
(3) US IT companies lose sales over complicity in NSA spying
(4) NSA and GCHQ hack mobile phones
(5) UK surveillance tribunal finds GCHQ-NSA intelligence sharing unlawful
(6) Spooks can track a mobile phone by looking at battery power
(7) Smart TVs & phones listen in on users' personal conversations
(8) Energy companies need insurance cover for cyber attack 'time bomb'

(1) Russian Kaspersky researchers expose NSA spyware within hard drives

Russian researchers expose breakthrough U.S. spying program

By Joseph Menn

SAN FRANCISCO Mon Feb 16, 2015 5:10pm EST

NSA is infecting hard drives with difficult to detect spying software,
report says

JOSEPH MENN, REUTERS | February 17, 2015 | Last Updated: Feb 17 1:07 PM ET

The U.S. National Security Agency has figured out how to hide spying
software deep within hard drives made by Western Digital, Seagate,
Toshiba and other top manufacturers, giving the agency the means to
eavesdrop on the majority of the world’s computers, according to cyber
researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of
spying programs discovered by Kaspersky Lab, the Moscow-based security
software maker that has exposed a series of Western cyberespionage

Kaspersky said it found personal computers in 30 countries infected with
one or more of the spying programs, with the most infections seen in
Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria,
Yemen and Algeria. The targets included government and military
institutions, telecommunication companies, banks, energy companies,
nuclear researchers, media, and Islamic activists, Kaspersky said.

The firm declined to publicly name the country behind the spying
campaign, but said it was closely linked to Stuxnet, the NSA-led
cyberweapon that was used to attack Iran’s uranium enrichment facility.
The NSA is the U.S. agency responsible for gathering electronic

A former NSA employee told Reuters that Kaspersky’s analysis was
correct, and that people still in the spy agency valued these espionage
programs as highly as Stuxnet. Another former intelligence operative
confirmed that the NSA had developed the prized technique of concealing
spyware in hard drives, but said he did not know which spy efforts
relied on it.

NSA spokeswoman Vanee Vines said the agency was aware of the Kaspersky
report but would not comment on it publicly.

Kaspersky on Monday published the technical details of its research on
Monday, a move that could help infected institutions detect the spying
programs, some of which trace back as far as 2001.

The disclosure could hurt the NSA’s surveillance abilities, already
damaged by massive leaks by former contractor Edward Snowden. Snowden’s
revelations have upset some U.S. allies and slowed the sales of U.S.
technology products abroad.

The exposure of these new spying tools could lead to greater backlash
against Western technology, particularly in countries such as China,
which is already drafting regulations that would require most bank
technology suppliers to proffer copies of their software code for

Peter Swire, one of five members of U.S. President Barack Obama’s Review
Group on Intelligence and Communications Technology, said the Kaspersky
report showed that it is essential for the country to consider the
possible impact on trade and diplomatic relations before deciding to use
its knowledge of software flaws for intelligence gathering.

“There can be serious negative effects on other U.S. interests,” Swire said.

According to Kaspersky, the spies made a technological breakthrough by
figuring out how to lodge malicious software in the obscure code called
firmware that launches every time a computer is turned on.

Snowden’s revelations have upset some U.S. allies and slowed the sales
of U.S. technology products abroad

Disk drive firmware is viewed by spies and cybersecurity experts as the
second-most valuable real estate on a PC for a hacker, second only to
the BIOS code invoked automatically as a computer boots up.

“The hardware will be able to infect the computer over and over,” lead
Kaspersky researcher Costin Raiu said in an interview.

Though the leaders of the still-active espionage campaign could have
taken control of thousands of PCs, giving them the ability to steal
files or eavesdrop on anything they wanted, the spies were selective and
only established full remote control over machines belonging to the most
desirable foreign targets, according to Raiu. He said Kaspersky found
only a few especially high-value computers with the hard-drive infections.

Kaspersky’s reconstructions of the spying programs show that they could
work in disk drives sold by more than a dozen companies, comprising
essentially the entire market. They include Western Digital Corp,
Seagate Technology Plc , Toshiba Corp, IBM, Micron Technology Inc and
Samsung Electronics Co Ltd.

Western Digital, Seagate and Micron said they had no knowledge of these
spying programs. Toshiba and Samsung declined to comment. IBM did not
respond to requests for comment.

Raiu said the authors of the spying programs must have had access to the
proprietary source code that directs the actions of the hard drives.
That code can serve as a roadmap to vulnerabilities, allowing those who
study it to launch attacks much more easily.

“There is zero chance that someone could rewrite the [hard drive]
operating system using public information,” Raiu said.

Concerns about access to source code flared after a series of
high-profile cyberattacks on Google Inc and other U.S. companies in 2009
that were blamed on China. Investigators have said they found evidence
that the hackers gained access to source code from several big U.S. tech
and defense companies.

It is not clear how the NSA may have obtained the hard drives’ source
code. Western Digital spokesman Steve Shattuck said the company “has not
provided its source code to government agencies.” The other hard drive
makers would not say if they had shared their source code with the NSA.

Seagate spokesman Clive Over said it has “secure measures to prevent
tampering or reverse engineering of its firmware and other
technologies.” Micron spokesman Daniel Francisco said the company took
the security of its products seriously and “we are not aware of any
instances of foreign code.”

According to former intelligence operatives, the NSA has multiple ways
of obtaining source code from tech companies, including asking directly
and posing as a software developer. If a company wants to sell products
to the Pentagon or another sensitive U.S. agency, the government can
request a security audit to make sure the source code is safe.

“They don’t admit it, but they do say, ‘We’re going to do an evaluation,
we need the source code,’” said Vincent Liu, a partner at security
consulting firm Bishop Fox and former NSA analyst. “It’s usually the NSA
doing the evaluation, and it’s a pretty small leap to say they’re going
to keep that source code.”

The NSA declined to comment on any allegations in the Kaspersky report.
Vines said the agency complies with the law and White House directives
to protect the United States and its allies “from a wide array of
serious threats.”

Kaspersky called the authors of the spying program “the Equation group,”
named after their embrace of complex encryption formulas.

The group used a variety of means to spread other spying programs, such
as by compromising jihadist websites, infecting USB sticks and CDs, and
developing a self-spreading computer worm called Fanny, Kaspersky said.
Fanny was like Stuxnet in that it exploited two of the same undisclosed
software flaws, known as “zero days,” which strongly suggested
collaboration by the authors, Raiu said.

He added that it was “quite possible” that the Equation group used Fanny
to scout out targets for Stuxnet in Iran and spread the virus.

(Reporting by Joseph Menn; Editing by Tiffany Wu)

(2) NSA spyware within hard drives survives military-grade disk wiping
and formatting

How "omnipotent" hackers tied to NSA hid for 14 years--and were found at
last "Equation Group" ran the most advanced hacking operation ever

by Dan Goodin - Feb 17, 2015 5:00am AEST

CANCUN, Mexico -- In 2009, one or more prestigious researchers received
a CD by mail that contained pictures and other materials from a recent
scientific conference they attended in Houston. The scientists didn't
know it then, but the disc also delivered a malicious payload developed
by a highly advanced hacking operation that had been active since at
least 2001. The CD, it seems, was tampered with on its way through the mail.

It wasn't the first time the operators--dubbed the "Equation Group" by
researchers from Moscow-based Kaspersky Lab--had secretly intercepted a
package in transit, booby-trapped its contents, and sent it to its
intended destination. In 2002 or 2003, Equation Group members did
something similar with an Oracle database installation CD in order to
infect a different target with malware from the group's extensive
library. (Kaspersky settled on the name Equation Group because of
members' strong affinity for encryption algorithms, advanced obfuscation
methods, and sophisticated techniques.)

Kaspersky researchers have documented 500 infections by Equation Group
in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan,
India, Syria, and Mali topping the list. Because of a self-destruct
mechanism built into the malware, the researchers suspect that this is
just a tiny percentage of the total; the actual number of victims likely
reaches into the tens of thousands.

A long list of almost superhuman technical feats illustrate Equation
Group's extraordinary skill, painstaking work, and unlimited resources.
They include:

     * The use of virtual file systems, a feature also found in the
highly sophisticated Regin malware. Recently published documents
provided by Ed Snowden indicate that the NSA used Regin to infect the
partly state-owned Belgian firm Belgacom.

     * The stashing of malicious files in multiple branches of an
infected computer's registry. By encrypting all malicious files and
storing them in multiple branches of a computer's Windows registry, the
infection was impossible to detect using antivirus software.

     * Redirects that sent iPhone users to unique exploit Web pages. In
addition, infected machines reporting to Equation Group command servers
identified themselves as Macs, an indication that the group successfully
compromised both iOS and OS X devices.

     * The use of more than 300 Internet domains and 100 servers to host
a sprawling command and control infrastructure.

     * USB stick-based reconnaissance malware to map air-gapped
networks, which are so sensitive that they aren't connected to the
Internet. Both Stuxnet and the related Flame malware platform also had
the ability to bridge airgaps.

     * An unusual if not truly novel way of bypassing code-signing
restrictions in modern versions of Windows, which require that all
third-party software interfacing with the operating system kernel be
digitally signed by a recognized certificate authority. To circumvent
this restriction, Equation Group malware exploited a known vulnerability
in an already signed driver for CloneCD to achieve kernel-level code

Taken together, the accomplishments led Kaspersky researchers to
conclude that Equation Group is probably the most sophisticated computer
attack group in the world, with technical skill and resources that rival
the groups that developed Stuxnet and the Flame espionage malware.

"It seems to me Equation Group are the ones with the coolest toys,"
Costin Raiu, director of Kaspersky Lab's global research and analysis
team, told Ars. "Every now and then they share them with the Stuxnet
group and the Flame group, but they are originally available only to the
Equation Group people. Equation Group are definitely the masters, and
they are giving the others, maybe, bread crumbs. From time to time they
are giving them some goodies to integrate into Stuxnet and Flame."

In an exhaustive report published Monday at the Kaspersky Security
Analyst Summit here, researchers stopped short of saying Equation Group
was the handiwork of the NSA--but they provided detailed evidence that
strongly implicates the US spy agency.

First is the group's known aptitude for conducting interdictions, such
as installing covert implant firmware in a Cisco Systems router as it
moved through the mail.

Second, a highly advanced keylogger in the Equation Group library refers
to itself as "Grok" in its source code. The reference seems eerily
similar to a line published last March in an Intercept article headlined
"How the NSA Plans to Infect 'Millions' of Computers with Malware." The
article, which was based on Snowden-leaked documents, discussed an
NSA-developed keylogger called Grok.

Third, other Equation Group source code makes reference to "STRAITACID"
and "STRAITSHOOTER." The code words bear a striking resemblance to
"STRAITBIZARRE," one of the most advanced malware platforms used by the
NSA's Tailored Access Operations unit. Besides sharing the
unconventional spelling "strait," Snowden-leaked documents note that
STRAITBIZARRE could be turned into a disposable "shooter." In addition,
the codename FOXACID belonged to the same NSA malware framework as the
Grok keylogger.

Apart from these shared code words, the Equation Group in 2008 used four
zero-day vulnerabilities--including two that were later incorporated
into Stuxnet.

The similarities don't stop there. Equation Group malware dubbed
GrayFish encrypted its payload with a 1,000-iteration hash of the target
machine's unique NTFS object ID. The technique makes it impossible for
researchers to access the final payload without possessing the raw disk
image for each individual infected machine. The technique closely
resembles one used to conceal a potentially potent warhead in Gauss, a
piece of highly advanced malware that shared strong technical
similarities with both Stuxnet and Flame. (Stuxnet, according to The New
York Times, was a joint operation between the NSA and Israel, while
Flame, according to The Washington Post, was devised by the NSA, the
CIA, and the Israeli military.)

Beyond the technical similarities to the Stuxnet and Flame developers,
Equation Group boasted the type of extraordinary engineering skill
people have come to expect from a spy organization sponsored by the
world's wealthiest nation. One of the Equation Group's malware
platforms, for instance, rewrote the hard-drive firmware of infected
computers--a never-before-seen engineering marvel that worked on 12
drive categories from manufacturers including Western Digital, Maxtor,
Samsung, IBM, Micron, Toshiba, and Seagate.

The malicious firmware created a secret storage vault that survived
military-grade disk wiping and reformatting, making sensitive data
stolen from victims available even after reformatting the drive and
reinstalling the operating system. The firmware also provided
programming interfaces that other code in Equation Group's sprawling
malware library could access. Once a hard drive was compromised, the
infection was impossible to detect or remove.

While it's simple for end users to re-flash their hard drives using
executable files provided by manufacturers, it's just about impossible
for an outsider to reverse engineer a hard drive, read the existing
firmware, and create malicious versions.

"This is an incredibly complicated thing that was achieved by these
guys, and they didn't do it for one kind of hard drive brand," Raiu
said. "It's very dangerous and bad because once a hard drive gets
infected with this malicious payload it's impossible for anyone,
especially an antivirus [provider], to scan inside that hard drive
firmware. It's simply not possible to do that."

One of the most intriguing elements of Equation Group is its suspected
use of interdiction to infect targets. Besides speaking to the group's
organization and advanced capabilities, such interceptions demonstrate
the lengths to which the group will go to infect people of interest. The
CD from the 2009 Houston conference--which Kaspersky declined to
identify, except to say it was related to science--tried to use the
autorun.inf mechanism in Windows to install malware dubbed
DoubleFantasy. Kaspersky knows that conference organizers did send
attendees a disc, and the company knows the identity of at least one
conference participant who received a maliciously modified one, but
company researchers provided few other details and don't know precisely
how the malicious content wound up on the disc.

"It would be very easy to trace the attack back to the organizers and
point them out, and this could in turn result in some very serious
diplomatic incidents," Raiu said. "Our best guess is that the organizers
didn't act in a malicious way against the participants, but [that] some
of the CD-ROMs on their way to the participants were intercepted and
replaced with the malicious variants."

Even less is known about a CD for installing Oracle 8i-8.1.7 for Windows
sent six or seven years earlier, except that it installed an early
Equation Group malware program known as EquationLaser. The conference
and Oracle CDs are the only Equation Group interdictions that Kaspersky
researchers have discovered. Given how little is known about the
interdictions, they weren't likely to have been used often.

A separate method of infection relied on a worm introduced in 2008 that
Kaspersky has dubbed Fanny, after a text string that appears in one of
the zero-day exploits used by the worm to self-replicate. The
then-unknown vulnerability resided in functions that process so-called
.LNK files Windows uses to display icons when a USB stick is connected
to a PC. By embedding malicious code inside the .LNK files, a
booby-trapped stick could automatically infect the connected computer
even when its autorun feature was turned off. The self-replication and
lack of any dependence on a network connection made the vulnerability
ideal for infecting air-gapped machines. (The .LNK vulnerability is
classified as CVE-2010-2568.)

Some two years after first playing its role in Fanny, the .LNK exploit
was added to a version of Stuxnet so that the worm could automatically
spread through highly sensitive computers in Iran. Fanny also relied on
an elevation-of-privilege vulnerability that was a zero day at the time
the worm was introduced. In 2009, the exploit also made its way into
Stuxnet, but by then, Microsoft had patched the underlying bug with the
release of MS09-025.

A far more common infection vector was Web-based attacks that exploited
vulnerabilities in Oracle's Java software framework or in Internet
Explorer. The exploits were hosted on a variety of websites related to
everything from reviews of technology products to discussions of Islamic
Jihad. In addition to planting exploits on the websites, the attack code
was also transmitted through ad networks. The wide range of exploit
carriers may explain why so many of the machines Kaspersky observed
reporting to its sinkholes were domain controllers, data warehouses,
website hosts, and other types of servers. Equation Group, it seems,
wasn't infecting only end user computers--it was also booby-trapping
servers known to be accessed by targeted end users.

Equation Group exploits are notable for the surgical precision exercised
to ensure that only an intended target was infected. One Equation
Group-written PHP script that Kaspersky unearthed, for instance, checked
if the MD5 hash of a website visitor's username was either
84b8026b3f5e6dcfb29e82e0b0b0f386 or e6d290a03b70cfa5d4451da444bdea39.
The plaintext corresponding to the first hash is "unregistered," an
indication that attackers didn't want to infect visitors who weren't
logged in. The second hash has yet to be deciphered Update: now been
cracked; see this brief.

"We could not crack this MD5, despite using considerable power for
several weeks, which makes us believe [the plaintext username] is a
relatively complex one," Raiu said. "It definitely indicates that
whoever is behind this username should not be infected by the Equation
Group, [and] actually it shouldn't even see the exploit. I would assume
this is either one of the group members (a fake identity), one of their
partners, or a known identity of a previously infected victim."

The PHP script also took special care not to infect IP addresses based
in Jordan, Turkey, and Egypt. Kaspersky observed users visiting the site
who didn't meet any of these exceptions, yet they still weren't
attacked--an indication that an additional level of filtering spared all
but the most sought-after targets who visited the site.

More recently, Kaspersky has observed malicious links on the site
standardsandpraiserepurpose[.]com that looked like


where the h value (that is, the text following the "h=") appears to be
an SHA1 hash. Kaspersky has yet to crack those hashes, but company
researchers suspect they're being used to serve customized exploits to
specific people. The company is recruiting help from fellow white-hat
hackers in cracking them. Other hashes include:

     * 0044c9bfeaac9a51e77b921e3295dcd91ce3956a     *
06cf1af1d018cf4b0b3e6cfffca3fbb8c4cd362e     *
3ef06b6fac44a2a3cbf4b8a557495f36c72c4aa6     *
5b1efb3dbf50e0460bc3d2ea74ed2bebf768f4f7     *
930d7ed2bdce9b513ebecd3a38041b709f5c2990     *

The PHP exploit code also serves unique Web pages and HTML code to
people visiting with iPhones, behavior that Kaspersky found telling.

"This indicates the exploit server is probably aware of iPhone visitors
and can deliver exploits for them as well," Kaspersky's report published
Monday explained. "Otherwise, the exploitation URL can simply be removed
for these." The report also said one sinkholed server receives visits
from a large pool of China-based machines that identify themselves as
Macs in the browser user agent string. While Kaspersky has yet to obtain
Equation Group malware that runs on OS X, they believe it exists. Six

In all, Kaspersky has tied at least six distinct pieces of malware to
Equation Group. They include:

EquationLaser: an early implant in use from 2001 to 2004.

DoubleFantasy: a validator-style trojan designed to confirm if the
infected person is an intended target. People who are confirmed get
upgraded to either EquationDrug or GrayFish.

EquationDrug: also known as Equestre, this is a complex attack platform
that supports 35 different modules and 18 drivers. It is one of two
Equation Group malware platforms to re-flash hard drive firmware and use
virtual file systems to conceal malicious files and stolen data.

It was delivered only after a target had been infected with
DoubleFantasy and confirmed to be a target. It was introduced in 2002
and was phased out in 2013 in favor of the more advanced GrayFish. Enlarge

GrayFish: the successor to EquationDrug and the most sophisticated of
all the Equation Group attack platforms. It resides completely in the
registry and relies on a bootkit to take hold each time a computer
starts. Whereas EquationDrug re-flashed hard drives for six models,
GrayFish re-flashed 12 classes of hard drives. GrayFish exploits a
vulnerability in the CloneCD driver ElbyCDIO.sys--and possibly drivers
of other programs--to bypass Windows code-signing requirements. Enlarge
/ The VBR means Virtual Boot Record. It is a special area of the disk
that is responsible for loading the operating system. The Pill is an
injected piece of code ("blue pill", "red pill" - Matrix references)
that is responsible for hijacking the OS loading. It works by carefully
altering the loading mechanism to include malicious code that the OS
blindly "swallows."

The BBSVC service is another GRAYFISH mechanism used when the Pill
cannot be injected, for some unknown reason. It loads further stages of
Grayfish at the time the OS starts. In essence, it's a weaker mechanism
than the pill, because it exposes one single malicious executable on the
hard drive of the victims. This is why BBSVC is a polymorphic
executable, filled with gibberish and random data to make it hard to
detect. The platform kernel "fvexpy.sys" is one of the core components
of Grayfish. It is designed to run in Windows kernel mode and provide
functions for the platform components.

GrayFish is the crowning achievement of the Equation Group. The malware
platform is so complex that Kaspersky researchers still understand only
a fraction of its capabilities and inner workings. Key to the
sophistication of GrayFish is its bootkit, which allows it to take
extraordinarily granular control of the machines it infects.

"This allows it to control the launching of Windows at each stage,"
Kaspersky's written report explained. "In fact, after infection, the
computer is not run by itself anymore: it is GrayFish that runs it step
by step, making the necessary changes on the fly."

Fanny: A computer worm that exploited what in 2008 were two zero-day
vulnerabilities in Windows to self-replicate each time an infected USB
stick was inserted into a targeted computer. The main purpose of Fanny
was to conduct reconnaissance on sensitive air-gapped networks. After
infecting a computer not connected to the Internet, Fanny collected
network information and saved it to a hidden area of the USB drive. If
the stick was later plugged in to an Internet-computer, it would upload
the data to attacker servers and download any attacker commands. If the
stick was later plugged into the air-gapped machine, the downloaded
commands would be executed. This process would continue each time the
stick was switched between air-gapped and Internet-connected machines.

No matter how elite a hacking group may be, Raiu said, mistakes are
inevitable. Equation Group made several errors that allowed Kaspersky
researchers to glean key insights into an operation that went unreported
for at least 14 years.

Kaspersky first came upon the Equation Group in March 2014, while
researching the Regin software that infected Belgacom and a variety of
other targets. In the process, company researchers analyzed a computer
located in the Middle East and dubbed the machine "Magnet of Threats"
because, in addition to Regin, it was infected by four other highly
advanced pieces of malware, including Turla, Careto/Mask, ItaDuke, and
Animal Farm. A never-before-seen sample of malware on the computer
piqued researchers' interest and turned out to be an EquationDrug module.

Following the discovery, Kaspersky researchers combed through their
cloud-based Kaspersky Security Network of exploits and infections
reported by AV users and looked for similarities and connections. In the
following months, the researchers uncovered additional pieces of malware
used by Equation Group as well as the domain names used to host command

Perhaps most costly to the attackers was their failure to renew some of
the domains used by these servers. Out of the 300 or so domains used,
about 20 were allowed to expire. Kaspersky quickly registered the
domains and, over the past ten months, has used them to "sinkhole" the
command channels, a process in which researchers monitor incoming
connections from Equation Group-infected machines.

One of the most severe renewal failures involved a channel that
controlled computers infected by "EquationLaser," an early malware
platform abandoned around 2003 when antivirus programs began to detect
it. The underlying domain name remained active for years until one day,
it didn't; Kaspersky acquired it and EquationLaser-infected machines
still report to it.

"It's really surprising to see there are victims around the world
infected with this malware from 12 years ago," Raiu said. He continues
to see about a dozen infected machines that report from countries that
include Russia, Iran, China, and India.

Raiu said 90 percent or more of the command and control servers were
closed last year, although some remained active as recently as last month.

     "We understand just how little we know. It also makes us reflect
about how many other things remain hidden or unknown."

The sinkholes have allowed Kaspersky researchers to gather key clues
about the operation, including the number of infected computers
reporting to the seized command domains, the countries in which these
compromised computers are likely located, and the types of operating
systems they run.

Another key piece of information gleaned by Kaspersky: some machines
infected by Equation Group are the "patients zero" that were used to
seed the Stuxnet worm so it would travel downstream and infect Iran's
Natanz facility.

"It is quite possible that the Equation Group malware was used to
deliver the Stuxnet payload," Kaspersky researchers wrote in their report.

Other key mistakes were variable names, developer account names, and
similar artifacts left in various pieces of Equation Group malware. In
the same way cat burglars wear gloves to conceal their fingerprints,
attackers take great care to scrub such artifacts out of their code
before releasing it. But in at least 13 cases, they failed. Possibly the
most telling artifact is the string "-standalonegrok_2.1.1.1" that
accompanies a highly advanced keylogger tied to Equation Group.

Another potentially damaging artifact found by Kaspersky is the Windows
directory path of "c:\users\rmgree5" belonging to one of the developer
accounts that compiled Equation Group malware. Assuming the rmgree5
wasn't a randomly generated account name, it may be possible to link it
to a developer's real-world identity if the handle has been used for
other accounts or if it corresponds to a developer's real-world name
such as "Richard Gree" or "Robert Greenberg."

Kaspersky researchers still don't know what to make of the 11 remaining
artifacts, but they hope fellow researchers can connect the strings to
other known actors or incidents. The remaining artifacts are:

     * SKYHOOKCHOW     * prkMtx - unique mutex used by the Equation
Group's exploitation library ( gPrivLib h)     * "SF" - as in
"SFInstall", "SFConfig"     * "UR", "URInstall" - "Performing
UR-specific post-install..."     * "implant" - from "Timeout waiting for
the "canInstallNow" event from the implant-specific EXE!"     *
(VTT/82055898/STEALTHFIGHTER/2008-10-16/14:59:06.229-04:00     *
DRINKPARSLEY - (Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00)     *
STRAITACID - (VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00)
(VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00)     *

Hacking without a budget

The money and time required to develop the Equation Group malware, the
technological breakthroughs the operation accomplished, and the
interdictions performed against targets leave little doubt that the
operation was sponsored by a nation-state with nearly unlimited
resources to dedicate to the project. The countries that were and
weren't targeted, the ties to Stuxnet and Flame, and the Grok artifact
found inside the Equation Group keylogger strongly support the theory
the NSA or a related US agency is the responsible party, but so far
Kaspersky has declined to name a culprit.

Update: Reuters reporter Joseph Menn said the hard-drive firmware
capability has been confirmed by two former government employees. He wrote:

     A former NSA employee told Reuters that Kaspersky's analysis was
correct, and that people still in the intelligence agency valued these
spying programs as highly as Stuxnet. Another former intelligence
operative confirmed that the NSA had developed the prized technique of
concealing spyware in hard drives, but said he did not know which spy
efforts relied on it.

Update: Several hours ater this post went live, NSA officials e-mailed
the following statement to Ars:

     We are aware of the recently released report. We are not going to
comment publicly on any allegations that the report raises, or discuss
any details. On January 17, 2014, the President gave a detailed address
about our signals intelligence activities, and he also issued
Presidential Policy Directive 28 (PPD-28). As we have affirmed publicly
many times, we continue to abide by the commitments made in the
President's speech and PPD-28. The U.S. Government calls on our
intelligence agencies to protect the United States, its citizens, and
its allies from a wide array of serious threats - including terrorist
plots from al-Qaeda, ISIL, and others; the proliferation of weapons of
mass destruction; foreign aggression against ourselves and our allies;
and international criminal organizations.

What is safe to say is that the unearthing of the Equation Group is a
seminal finding in the fields of computer and national security, as
important, or possibly more so, than the revelations about Stuxnet.

"The discovery of the Equation Group is significant because this
omnipotent cyber espionage entity managed to stay under the radar for
almost 15 years, if not more," Raiu said. "Their incredible skills and
high tech abilities, such as infecting hard drive firmware on a dozen
different brands, are unique across all the actors we have seen and
second to none. As we discover more and more advanced threat actors, we
understand just how little we know. It also makes us reflect about how
many other things remain hidden or unknown."

(3) US IT companies lose sales over complicity in NSA spying

Revelations of N.S.A. Spying Cost U.S. Tech Companies


SAN FRANCISCO -- Microsoft has lost customers, including the government
of Brazil.

IBM is spending more than a billion dollars to build data centers
overseas to reassure foreign customers that their information is safe
from prying eyes in the United States government.

And tech companies abroad, from Europe to South America, say they are
gaining customers that are shunning United States providers, suspicious
because of the revelations by Edward J. Snowden that tied these
providers to the National Security Agency's vast surveillance program.

Even as Washington grapples with the diplomatic and political fallout of
Mr. Snowden's leaks, the more urgent issue, companies and analysts say,
is economic. Technology executives, including Mark Zuckerberg of
Facebook, raised the issue when they went to the White House on Friday
for a meeting with President Obama.

It is impossible to see now the full economic ramifications of the
spying disclosures -- in part because most companies are locked in
multiyear contracts -- but the pieces are beginning to add up as
businesses question the trustworthiness of American technology products.

The confirmation hearing last week for the new N.S.A. chief, the video
appearance of Mr. Snowden at a technology conference in Texas and the
drip of new details about government spying have kept attention focused
on an issue that many tech executives hoped would go away.

Despite the tech companies' assertions that they provide information on
their customers only when required under law -- and not knowingly
through a back door -- the perception that they enabled the spying
program has lingered.

"It's clear to every single tech company that this is affecting their
bottom line," said Daniel Castro, a senior analyst at the Information
Technology and Innovation Foundation, who predicted that the United
States cloud computing industry could lose $35 billion by 2016.

Forrester Research, a technology research firm, said the losses could be
as high as $180 billion, or 25 percent of industry revenue, based on the
size of the cloud computing, web hosting and outsourcing markets and the
worst case for damages. Continue reading the main story

The business effect of the disclosures about the N.S.A. is felt most in
the daily conversations between tech companies with products to pitch
and their wary customers. The topic of surveillance, which rarely came
up before, is now "the new normal" in these conversations, as one tech
company executive described it.

"We're hearing from customers, especially global enterprise customers,
that they care more than ever about where their content is stored and
how it is used and secured," said John E. Frank, deputy general counsel
at Microsoft, which has been publicizing that it allows customers to
store their data in Microsoft data centers in certain countries.

At the same time, Mr. Castro said, companies say they believe the
federal government is only making a bad situation worse.

"Most of the companies in this space are very frustrated because there
hasn't been any kind of response that's made it so they can go back to
their customers and say, 'See, this is what's different now, you can
trust us again,' " he said.

In some cases, that has meant forgoing potential revenue.

Though it is hard to quantify missed opportunities, American businesses
are being left off some requests for proposals from foreign customers
that previously would have included them, said James Staten, a cloud
computing analyst at Forrester who has read clients' requests for
proposals. There are German companies, Mr. Staten said, "explicitly not
inviting certain American companies to join."

He added, "It's like, 'Well, the very best vendor to do this is IBM, and
you didn't invite them.' "

The result has been a boon for foreign companies.

Runbox, a Norwegian email service that markets itself as an alternative
to American services like Gmail and says it does not comply with foreign
court orders seeking personal information, reported a 34 percent annual
increase in customers after news of the N.S.A. surveillance.

Brazil and the European Union, which had used American undersea cables
for intercontinental communication, last month decided to build their
own cables between Brazil and Portugal, and gave the contract to
Brazilian and Spanish companies. Brazil also announced plans to abandon
Microsoft Outlook for its own email system that uses Brazilian data centers.

Mark J. Barrenechea, chief executive of OpenText, Canada's largest
software company, said an anti-American attitude took root after the
passage of the Patriot Act, the counterterrorism law passed after 9/11
that expanded the government's surveillance powers.

But "the volume of the discussion has risen significantly post-Snowden,"
he said. For instance, after the N.S.A. surveillance was revealed, one
of OpenText's clients, a global steel manufacturer based in Britain,
demanded that its data not cross United States borders.

"Issues like privacy are more important than finding the cheapest
price," said Matthias Kunisch, a German software executive who spurned
United States cloud computing providers for Deutsche Telekom. "Because
of Snowden, our customers have the perception that American companies
have connections to the N.S.A."

Security analysts say that ultimately the fallout from Mr. Snowden's
revelations could mimic what happened to Huawei, the Chinese technology
and telecommunications company, which was forced to abandon major
acquisitions and contracts when American lawmakers claimed that the
company's products contained a backdoor for the People's Liberation Army
of China -- even though this claim was never definitively verified.

Silicon Valley companies have complained to government officials that
federal actions are hurting American technology businesses. But
companies fall silent when it comes to specifics about economic harm,
whether to avoid frightening shareholders or because it is too early to
produce concrete evidence.

"The companies need to keep the priority on the government to do
something about it, but they don't have the evidence to go to the
government and say billions of dollars are not coming to this country,"
Mr. Staten said.

Some American companies say the business hit has been minor at most.

John T. Chambers, the chief executive of Cisco Systems, said in an
interview that the N.S.A. disclosures had not affected Cisco's sales "in
a major way." Although deals in Europe and Asia have been slower to
close, he said, they are still being completed -- an experience echoed
by several other computing companies.

Still, the business blowback can be felt in other ways than lost customers.

Security analysts say tech companies have collectively spent millions
and possibly billions of dollars adding state-of-the-art encryption
features to consumer services, like Google search and Microsoft Outlook,
and to the cables that link data centers at Google, Yahoo and other

IBM said in January that it would spend $1.2 billion to build 15 new
data centers, including in London, Hong Kong and Sydney, Australia, to
lure foreign customers that are sensitive about the location of their
data. announced similar plans this month.

Germany and Brazil, where it was revealed that the N.S.A. spied on
government leaders, have been particularly adversarial toward American
companies and the government.  Lawmakers, including in Germany, are
considering legislation that would make it costly or even technically
impossible for American tech companies to operate inside their borders.

Yet some government officials say laws like this could have a motive
other than protecting privacy. Shutting out American companies "means
more business for local companies," Richard A. Clarke, a former White
House counterterrorism adviser, said last month.

Contributing reporting were Quentin Hardy and Nicole Perlroth from San
Francisco, David E. Sanger from Washington, Mark Scott from London, Dan
Horch from São Paulo, Brazil, and Ian Austen from Ottawa.

A version of this article appears in print on March 22, 2014, on page A1
of the New York edition with the headline: N.S.A. Spying Imposing Cost
on Tech Firms.

(4) NSA and GCHQ hack mobile phones

Rights Groups Call for Action Over Reported US-UK Phone Hack

LONDON -- Feb 20, 2015, 1:55 PM ET

By SYLVIA HUI Associated Press

Rights organizations on Friday called for urgent steps to be taken to
protect private calls and online communications after allegations that
U.S. and British agencies hacked into the networks of a major SIM card

The World Wide Web Foundation, founded by Web inventor Tim Berners-Lee,
said the alleged hacking by the National Security Agency and its British
counterpart, GCHQ, was "another worrying sign that these agencies think
they are above the law."

The claims of the hack into Netherlands-based company Gemalto came from
documents given to journalists by whistleblower Edward Snowden. A story
about the documents posted Thursday on the website The Intercept said
the agencies hacked into Gemalto's networks to steal codes that allow
both governments to seamlessly eavesdrop on mobile phones worldwide.

In an email to The Associated Press on Friday, GCHQ said it does not
comment on intelligence matters. However, it said all of its work was
legal and its "interception regime" fully complies with the European
Convention on Human Rights.

Privacy International, which recently won an unprecedented court victory
against GCHQ in the wake of the Snowden revelations, said that the
electronic eavesdropping agency had lost its way.

"In stealing the SIM card encryption keys of millions of mobile phone
users they have shown there are few lines they aren't willing to cross,"
Privacy International Deputy Director Eric King said in a statement.

"Hacking into law-abiding companies, spying on their employees and
stealing their data should never be considered 'fair game,'" he added.
"Their actions have undermined the security of us all."

Yet hacking into law-abiding companies, and inducing foreigners to
commit treason by spilling secrets, are standard practices of spy
agencies throughout the world. The U.S. and Britain happen to be more
proficient than most. There is no international treaty laying out the
rules of espionage, cyber or otherwise.

The NSA hacks into companies in friendly nations for all sorts of
reasons, say former intelligence officials who declined to be quoted
discussing classified operations. The CIA, and its Russian, Chinese,
French and British counterparts, pay foreigners to supply information in
violation of the laws of their countries.

One question being raised by some of the Snowden leaks is whether the
public in the U.S. and Europe are willing to reign in their digital
spying services if it means rendering them less effective. Another
question is whether the benefits of a particular surveillance method are
worth the fallout in the event it is disclosed.

In Germany, opposition lawmakers have called for a parliamentary hearing
on the reported hacking. An aide to Green Party lawmaker Konstantin von
Notz said the hearing would likely take place Wednesday and could call
on witnesses from Germany's domestic and foreign intelligence agencies
to testify.

Germany is the only country that has launched a parliamentary inquiry
into the activities of the NSA and GCHQ in the wake of the Snowden

AP Intelligence Writer Ken Dilanian in Washington D.C. and Frank Jordans
in Berlin contributed to this report.

(5) UK surveillance tribunal finds GCHQ-NSA intelligence  sharing unlawful

Date: Sun, 22 Feb 2015 23:18:48 +0000 From: ""

Victory! UK surveillance tribunal finds GCHQ-NSA intelligence  sharing

by Eric King

6 February 2015

Privacy International, Bytes for All and other human rights groups  are
celebrating a major victory against the Five Eyes today as the  UK
surveillance tribunal rules that GCHQ acted unlawfully in  accessing
millions of private communications collected by the NSA  up until
December 2014.

Today’s judgement represents a monumental leap forward in efforts  to
make intelligence agencies such as GCHQ and NSA accountable to  the
millions of individuals whose privacy they have violated.

The case was only possible thanks to NSA whistleblower Edward  Snowden
whose leaked documents provided the facts needed to  challenge the
long-standing intelligence sharing relationship. His  greatest fear was
that "nothing would change." Today's success  vindicates his admirable
acts and shows the power of public  scrutiny and transparency of State

Numbers game

The receipt of unanalysed intercepted material from partners like  NSA
makes up a huge percentage of the raw data that GCHQ crunches  through.

Through their secret intelligence sharing relationship with the  NSA,
GCHQ has had intermittently unrestricted access to PRISM -  NSA's means
of directly accessing data and content handled by some  of the world’s
largest Internet companies, including Microsoft,  Yahoo, Google,
Facebook, PalTalk, AOL, Skype, YouTube and Apple.

GCHQ also has had access to the NSA’s mass surveillance programme
UPSTREAM, that exploits the US geographical position as the  internet
and telecommunications switching center for the world and  involves the
interception of fibre optic cables running through the  country. Other
programmes part of UPSTREAM to which GCHQ has had  access include
CO-TRAVELLER, which collects five billion locational  records a day, and
DISHFIRE which harvests 194 million text  messages daily. The top five
programmes within UPSTREAM created 160  billion interception records in
one month alone.

GCHQ’s access to NSA material therefore makes up the large bulk of  all
surveillance material handled by the security services; some ex-  GCHQ
staffers estimated that “95 per cent of all SIGINT [signals
intelligence material] handled at GCHQ is American”. Indeed, in his
witness statement to the Investigatory Powers Tribunal in May 2014,
Charles Farr attested that

     “The immense value of [GCHQ’s relationships with the NSA] for  the
UK in part reflects the fact that the US intelligence agencies  are far
larger and much better resourced than the Intelligence  Services… In
simple terms, the US can provide the UK with  intelligence that the UK
with its far more limited resources could  not realistically obtain by

Historical illegality

But this has been going on for far longer than PRISM has been in
existence. For more than 60 years GCHQ has been recieving raw  intercept
from NSA. Indeed, the original 1946 Five Eyes agreement  (the UKUSA
agreement) stipulates that "all raw traffic shall  continue to be
exchanged except in cases where one or the other  party agrees to forgo
its copy.”

The details of the modern day UKUSA arrangement remain secret,  despite
legal attempts to obtain them, including FOI requests in  all Five Eyes
countries and an ongoing legal challenge from Privacy  International in
the European Court of Human Rights.

However, significant quantities of intelligence material are almost
certainly being shared between the parties. Indeed, in an essay by  an
ex-NSA employee marked UNCLASSIFIED and approved for public  release by
the NSA's office of Pre-Publication Review it was  confirmed that:

     "If you are a citizen of the UK, Canada, New Zealand, or
Australia, you may also be glad, because everything the NSA  collects is
by default shared with your government.”

The extraordinary implications of today's judgement is that all
historical sharing of raw intelligence between NSA and GCHQ took  place
without an adequate legal framework, and thus was unlawful.

The fight continues

The UK surveillance tribunal agreed with Privacy International that
intelligence sharing between the United States and the United  Kingdom
was unlawful prior to December 2014, because the rules  governing the
UK’s access to the NSA’s PRISM and UPSTREAM  programmes were secret.

But the fight has to continue at the European Court of Human  Rights. In
the coming weeks Privacy International will appeal the  tribunal's
earlier decision that GCHQ’s access to NSA data was  lawful from
December 2014 onward because secret policies governing  the US-UK
intelligence relationship were made public during Privacy
International’s case against the security services.

It does not need to be this way. Our intelligence agencies do not  need
to be run relying on secret interpretations of secret laws.  With
independent reviews of RIPA already underway we hope this  success
encourages the call for root and branch reform, to bring  our
intelligence agencies under the rule of law once and for all.

(6) Spooks can track a mobile phone by looking at battery power

Hackers can track phone users' location by looking at power supply

Published time: February 21, 2015 16:02

Researchers have found out it is possible to track someone's mobile
phone by looking at how much battery has been used. The data does not
need the users' permission to be shared, while it can help track a phone
with up to 90 percent accuracy.

The findings were carried out by a group of researchers at Stanford
University and the Israeli defense company Rafael. The created a
technique, which they have named PowerSpy and can gather information
concerning the location of Android phones. It does this by simply
tracking how much power has been used over a certain time.

How much power is used depends on a number of factors. For example, the
further away the phone is from a transmitter, the more power is needed
to get a signal. Physical objects such as mountains or buildings also
have an impact on the amount of battery needed as these obstacles can
block the phone's signal, meaning there are temporary 'power drains' on
the devices.

"A sufficiently long power measurement (several minutes) enables the
learning algorithm to 'see' through the noise," the researchers said,
which was reported by Wired. "We show that measuring the phone's
aggregate power consumption over time completely reveals the phone's
location and movement."

However, there is a catch. The spying technique only works if the person
has traveled along that route before. It is also impossible to gain any
data if the hacker has not walked along the same routes previously.

The researchers gathered data from phones as they drove around the Bay
Area in California and the Israeli city of Haifa. They then compared the
data they had collected with an LG Nexus 4 cell phone. For each test
which was carried out, the team chose a different, unknown route. Wired
magazine reports that they were able to identify the correct one with 90
percent accuracy.

"If you take the same ride a couple of times, you'll see a very clear
signal profile and power profile," says Yan Michalevsky, one of the
researchers from Stanford. "We show that those similarities are enough
to recognize among several possible routes that you're taking this route
or that one, that you drove from Uptown to Downtown, for instance, and
not from Uptown to Queens," according to the Wired.

The researchers also found out that phones with a very few number of
apps were easier to track as the power used was more consistent in
comparison to phones, which had a number of apps because they would use
power unpredictably.

What can users do to stop it? Basically, nothing aside from not using
the phone. With certain apps, such as Instagram or Facebook, the user is
asked whether they want to provide their current geo-location. However,
the data from the power supply on a phone is freely available.
Michalevsky says this is a problem that Google needs to address.

"You could install an application like Angry Birds that communicates
over the network but doesn't ask for any location permissions. It
gathers information and sends it back to me to track you in real time,
to understand what routes you've taken when you drove your car or to
know exactly where you are on the route. And it does it all just by
reading power consumption," Michalevsky concluded.

(7) Smart TVs & phones listen in on users' personal conversations

Samsung warns customers new Smart TVs 'listen in' on users' personal


By Nick Grimm

Updated Tue 10 Feb 2015, 12:59pm

Customers with Samsung's new Smart televisions are being warned that
what they say could be recorded and distributed to a third party.

The company is warning people as part of its privacy policy that
anything they say around their new television will be "among the data
captured and transmitted to a third party" because of a voice
recognition feature.

The policy advises customers to "please be aware that if your spoken
words include personal or other sensitive information, that information
will be among the data captured and transmitted to a third party through
your use of voice recognition."

Voice recognition technology is already used on most smartphones, but
what troubles some observers about smart household goods like
televisions is that customers may not always be aware when their new
gadget is listening in.

"I suppose the interesting difference between the televisions and the
phone example is when you're dictating into a phone you know exactly
what you're doing, whereas with a television you might just be sitting
around chatting to your friends and you're inadvertently activating this
voice command technology which will start recording what you're saying,"
Jake Goldenfein, from the centre for media and communications law at the
University of Melbourne, said.

Luke Hopewell, editor of online technology journal Gizmodo, said "big
brother" may not be actually listening to what we say just yet, but more
how we say it.

"When it says don't discuss personal information in front of your TV,
what it's actually saying is that identifiers of your voice are being
sent to third party services when you're using this television," he said.

"LG has a very similar clause in its terms and conditions as well."

Mr Hopewell said the third party sources are not so much keeping
recording as keeping data point.

"Those data points mean what your voice inflection sounds like, which
words that you said," he said.

"For example, the Australian accent in particular is very difficult to

"Samsung work with people at Macquarie University to actually figure out
what people were saying before they could bring voice recognition to

Angus Kidman from website Lifehacker said voice recognition technology
looked for specific information.

Media player: "Space" to play, "M" to mute, "left" and "right" to seek.
Video: Angus Kidman discusses Samsung's latest warning (ABC News)

"It's looking for you to say 'I want to watch this show' or 'I want to
watch this channel'. It's not hanging around going 'I want to grab your
credit card number'," he said.

Mr Kidman said data points needed to be sent to an online third party to
be analysed.

"It requires a lot of processing power so it's not going to happen in
your television; it's going to get sent online to be analysed," he said.

"That's why they have to tell you they're doing that."

He said consumers have a tendency to take the convenience of technology
without realising there is a trade-off.

"In order to make things simpler and easier for us using technology,
that often requires us to give up some personal information and we
haven't perhaps thought as hard as we should about the fact that we're
doing that," he said.

Mr Hopewell said it's "about getting a better quality of service, but it
really raises questions about what we're going to do in the smart home
in the future.

"This is the first time people have actually recognised that this might
be a problem if we start giving all our information over in our smart
home to third party services."

(8) Energy companies need insurance cover for cyber attack 'time bomb'


LONDON   Tue Apr 8, 2014 11:44am EDT

(Reuters) - Energy companies have no insurance against major cyber
attacks, reinsurance broker Willis said on Tuesday, likening the threat
to a "time bomb" that could cost the industry billions of dollars.

Willis highlighted the industry's vulnerability to cyber threats in its
annual review of the energy sector's insurance market, which called on
insurers to find a way to provide cover.

"A major energy catastrophe - on the same scale as ... Exxon Valdez or
Deepwater Horizon - could be caused by a cyber attack, and, crucially,
that cover for such a loss is generally not currently provided by the
energy insurance market," the insurance broker said.

Most insurance products currently available will cover minor things such
as data losses or downtime caused by IT issues, but not major events
like explosions at multiple facilities triggered remotely by hackers,
Willis said.

It said the lack of coverage stemmed from a clause included in most
energy sector insurance agreements over the past 10 years that
explicitly excludes loss or damage caused by software, viruses or other
malicious computer code.

"There can be little doubt that the removal of this exclusion would be
the most effective way for coverage to be provided to the energy
industry," it said.

But the exclusion clause has remained because cyber security is not
well-understood by the insurance industry, making it difficult to design
comprehensive products. Additionally, problems lie with how insurers
agree to cover damage to multiple plants or platforms caused by a single

The issue is attracting more attention after high-profile events
including Stuxnet - a virus that afflicted a uranium enrichment facility
in Iran - and Shamoon - a virus linked to cyber assaults on energy firms
in Saudi Arabia and Qatar in 2012.

Technology now allows entire oil and gas networks to be operated
remotely, but connecting that infrastructure via the internet has also
opened the door for hackers and computer viruses to target anything from
refineries to pipelines.

The effects of such attacks can range from viruses spreading across a
network of household smart electric meters to hackers triggering oil
spills or explosions.

Britain estimates that cyber security breaches cost UK energy firms
around 400 million pounds ($664 million) annually. The U.S. Department
of Homeland Security said over 40 percent of attacks on the United
States' critical infrastructure assets were aimed at the energy industry
in the year to September 2012.

Research firm ABI estimates that global cyber security spending by the
industry on critical oil and gas infrastructure will reach $1.87 billion
by 2018.

Willis also said companies are also coming under pressure from
shareholders and the government to beef up cyber defenses, a trend that
could lead to the introduction of regulatory requirements aimed at
protecting key infrastructure.

"While many in the energy industry may not see regulation as the answer
to the problem of cyber-attacks, it remains a strong possibility that
energy companies will increasingly be accountable for demonstrating that
they have taken every possible step to counter this threat," it added.
($1 = 0.6020 British Pounds)

(Editing by Jane Merriman)

Peter Myers