A group specializing in cyberespionage with tools similar to those used by intelligence agencies in the U.S. has been able to infiltrate key institutions within countries including Russia and Iran, utilizing a form of malware that is startlingly advanced that once it has infected a PC is impossible to be removed.
Kaspersky Lab on Monday released a new report that said these tools were the creation of the group Equation, which it did not link to the National Security Agency in the U.S.
The exploits, malware and tools used by this group, named for its habit of encryption, are amazingly similar to techniques of NSA described in top secret documentation that in 2013 was leaked.
Countries that Equation has hit the most include Russia, Iran, India, China, Afghanistan and Pakistan. Targets in that list of countries included telecommunication, embassies, military, government, Islamic scholars and research institutions, said the Kaspersky lab.
The most striking finding by the lab was Equation’s infecting abilities of a hard drive as well as the low level code that is an interface between software and hardware.
This malware reprograms the firmware of the hard drive, creating sectors that are hidden on the hard drive that only can be accessed through an API or application programming interface that is secret.
Once this is installed, it is impossible for the malware to be removed, as reinstalling the OS and disk formatting does not affect it and the different hidden storage sectors remain.
The Kaspersky lab said that theoretically that had been aware of all this but it is the only time ever that an attacker has been seen having such advanced capability.
A group named Equation, which are cyberspies, that use techniques similar to NSA have struck 30 countries using the malware that has never been seen that infects the hard drives.
The report said that Equation has hard drive knowledge that goes well beyond documentation that the vendors have released.
Equation is aware of sets of unique commands for ATA used by vendors of the hard drives to format their products. The majority of ATA commands are public, but there are undocumented ATA commands that exist used by the vendors for certain functions such as error correction and internal storage.