Yesterday, Kaspersky revealed (report in pdf form) yet another spy program…this time it appears that it was very well disguised on the hdds of the top manufacturers (WD, Toshiba, Seagate, and more). It is an eavesdropper,
“The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.” – Huffpost
The way it was done was ingenious, and a breakthrough of sorts. It’s hidden in the “firmware” one gets with the computer/hdd. So, it infects the computer again and again as soon as it’s booted…much like BIOS related malware. So, while many computers could be infected, actually ‘active’ spying might only occur on a few high value machines: “Kaspersky found only a few especially high-value computers with the hard-drive infections.” – Costin Raiu (Kaspersky lead researcher). He also said that the spyware autors had access to the source code of the OSs affected. That means it wasn’t just any old coder.
Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.
It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.
Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."
According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.
"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code." – Huffpost
This (if you remember) is exactly what happened to Symantec in India where it was hoping to win the contract to secure India’s DoD computers and had its source code leaked which meant a big rewrite job for them.
So, where has this gem been found?
There was no attribution made, but the virus/Trojan is closely related to Stuxnet, Flame and DuQu.
That does not mean however, that it belongs to the NSA or Israel, etc. After Stuxnet, et. al. have become known, top flight coders could (theoretically, at least) adapt and use it…China (not very likely) or others (even though it appears to have a low infection rate in the US). It could be that criminal enterprises and/or nation states are simply testing it at the point it was discovered although I think this less likely. In fact, only coders with the OS source code could have engineered this. That implies a serious spy apparatus and techniques.
Kaspersky has offered help in removing these spy programs.
So, Snowden and Kaspersky have become the bane of *certain people’s* existences. Just an idle question…how closely is Kaspersky associated with the FSB, I wonder? Could the “discovery” be part of a payback for sanctions? No proof, just some thoughts…because, with the discovery of these tools, there could well be an economic backlash against the US by China. Also, how does the effort towards cyber security by Washington and the alliance with Identify.me look in the face of this?
Sources:
http://www.huffingtonpost.com/2015/02/16/nsa-computer-spying_n_6694736.html
additional links in the above and at the Huffpost link.