What You Need To Know About Nation-State Hacked Hard Drives

The nation-state Equation Group compromise of most popular hard drives won't be a widespread threat, but future disk security -- and forensic integrity -- remain unclear.

The recent discovery that a nation-state hacking group had fashioned its own tools to reprogram more than a dozen major vendors' hard drives such that it could harbor malware and store stolen information in them undetected has cast a shadow over the security and reliability of these disk drives.

Most security experts weren't shocked that a nation-state was messing with hard drive firmware--hard drive attacks had been demonstrated by researchers over the past year, and it was only a matter of time before an in-the-wild attack was found. Even so, the so-called Equation Group's ability to wrest control of such a broad array of drive products was eye-opening, given the level of skill, time and financial resources such a feat required. 

"The more telling part of the Kaspersky Lab report was that the hard drive malware supported a large number of hard drive vendors. That is a lot of work to set up and test and maintain," says HD Moore, chief research officer with Rapid7.

Kaspersky Lab last month announced that it had discovered a leading-edge nation-state group, which it dubbed the Equation Group, that among other things had built malware modules that can reprogram hard drive brands, ensuring that the malware remains undetected by antivirus software and that even if a hard drive is reformatted or the operating system is reinstalled, the malware can't be eradicated. The attackers could also swap one drive sector with a malware-infected one, and use the drive to store stolen information, for example.

Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab, contends that it would take a skilled programmer months or years to successfully pull off this type of hack. "This is what makes this whole group gods among APT actors. We haven't seen anything close to this" before, Kamluk says. "You would have to get internal documents from the vendor," for instance.

So now that most major hard drive brands apparently have been compromised by the Equation Group-- which has not been officially identified by Kaspersky Lab but most experts say is most likely the NSA--what next?

Big-name hard drive vendors for the most part have remained mum or vague about the Equation Group findings. Neither Hitachi nor Toshiba responded to press inquiries about the firmware hack. Meanwhile, a Seagate spokesperson told Dark Reading that the company "has no specific knowledge of any allegations regarding third-parties accessing our drives."

"Seagate is absolutely committed to ensuring the highest levels of security of the data belonging to our users. For over seven years Seagate has been shipping drives offering industry-leading levels of self encryption, while putting in place secure measures to prevent tampering or reverse engineering of its firmware and other technologies," he said.

Hard drive vendors indeed could enhance the security of their drives to thwart such attacks in the future. Many of the newest ARM processors come with secure boot mode support as well as digital signatures of both the boot loader and OS kernel, Rapid7's Moore says. "Securing the ARM chips on the drive controllers isn't impossible and there are ways to make rogue firmware installation harder," he says. "Granted, there is likely a way to bypass those just like all other 'secure' boot modes and it would make flashing and diagnostics more complicated, but they could certainly improve the security, all the same."

A secure boot basically includes cryptographic checks in each stage of the boot process, which would prevent malware from running during that process.

Still, the majority of organizations won't need to worry about their hard drives getting hacked this way, security experts say. While the Equation Group hard drive hack is alarming and sophisticated, it's not likely to become a widespread threat vector, but instead used in very limited and targeted attacks. "One of the reasons you're not going to see these kinds of attacks widespread is because they are very hardware-specific," Moore says. "That effort is too high for most [attackers] intent on causing harm. Most nation-states wouldn't want to go through that much effort," either, he says.

The actual number of victims of the hard drive hack discovered by Kaspersky researchers was small, and in one case that the researchers spotted, the attack began with an infected CD-ROM disk. A scientist who had attended a conference in Houston, Texas, in 2009, received a CD-ROM from conference organizers with pictures from the event; but the disk also harbored a Trojan that later spread to one of his hard drives.

"He made a copy on a backup hard drive. Our product detected and blocked it on the external hard drive" and it was something we had not yet seen before, says Costin Raiu, head of Kaspersky's global research and analysis team, and one of the lead researchers on the Equation Group findings. The researchers were able to contact the scientist by tracking him down via his IP address, and he relayed the CD-ROM story. "It was [apparently] intercepted [by the Equation Group]… and then shipped to its final destination," Raiu says.

The key to stopping an undetectable hard drive hack is spotting the early stages of the attack, before the drive damage is done. "As amazing and covert as a lot of the Equation Group [hard drive attack] was, if you look at all of the stages, there were plenty of other components that were detectable and use the same techniques as other malware does, but people didn't piece it together," says Ryan Kazanciyan, technical director at Mandiant, a FireEye company. "Even the most covert malware has to get on the system and has the use of lateral movement. Even the best actors aren't invincible."

Kazanciyan says companies need to reduce the attackers' "funnel of operation" and make them have to work harder and up the chance of quicker discovery, he says.

The big problem, of course, is that conventional wisdom always has been that a malware-infected machine can be cleaned up after you reboot and reformat the drive. "How many years have we been told that malware on the machine can be cleaned by formatting the hard drive?" says Dan Kaminsky, chief scientist with WhiteOps Security.

Kaminsky says it's no surprise intelligence agencies would abuse the functionality of a hard drive for their own purposes. "We've known there are secret places to store data … and secret commands," he days. "Hard drives have their own operating systems, interfaces, and other places to store information. In fact, there are many places in a computer to surreptitiously place malware."

But the hacked hard drive brands have left all types of organizations vulnerable, he says. "This is part of the ongoing global conversation of the proper role of intel," he says. "A lot of businesses and military establishments just got left wide open."

With hard drives potentially silently infected, incident response and evidence collection also could be compromised, notes Mike Davis, CTO at CounterTack. "Now you can no longer take a hard drive to court and say beyond a reasonable doubt" its content is intact, he says. "It puts a massive [monkey] wrench in IR and evidence collection."

The Best Defense

Aside from taking a hammer to the hard drive, there's not much you can do to clean up a drive that's infected this way. Kaminsky recommends separating storage and execution as a way to prevent such an attack: "Stored data should never be allowed to execute code," he says.

The problem, of course, is that anti-malware doesn't scan hard drives for malware. "As long as customers are not able to check the firmware, they have to focus on preventing reaching this stage," says security expert Boldizsar Bencsath at the Budapest University of Technology and Economics'  Laboratory of Cryptography and Systems.

That means trying to stop the malware component from achieving the high level of user privileges that got the attackers so embedded and ultimately into the hard drives. And if a computer continues to get reinfected after reinstallation, that's a good clue something like a hard drive hack could be present, Bencsath says.

Recommended Reading: