Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/2/2015
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

What You Need To Know About Nation-State Hacked Hard Drives

The nation-state Equation Group compromise of most popular hard drives won't be a widespread threat, but future disk security -- and forensic integrity -- remain unclear.

The recent discovery that a nation-state hacking group had fashioned its own tools to reprogram more than a dozen major vendors' hard drives such that it could harbor malware and store stolen information in them undetected has cast a shadow over the security and reliability of these disk drives.

Most security experts weren't shocked that a nation-state was messing with hard drive firmware--hard drive attacks had been demonstrated by researchers over the past year, and it was only a matter of time before an in-the-wild attack was found. Even so, the so-called Equation Group's ability to wrest control of such a broad array of drive products was eye-opening, given the level of skill, time and financial resources such a feat required. 

"The more telling part of the Kaspersky Lab report was that the hard drive malware supported a large number of hard drive vendors. That is a lot of work to set up and test and maintain," says HD Moore, chief research officer with Rapid7.

Kaspersky Lab last month announced that it had discovered a leading-edge nation-state group, which it dubbed the Equation Group, that among other things had built malware modules that can reprogram hard drive brands, ensuring that the malware remains undetected by antivirus software and that even if a hard drive is reformatted or the operating system is reinstalled, the malware can't be eradicated. The attackers could also swap one drive sector with a malware-infected one, and use the drive to store stolen information, for example.

Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab, contends that it would take a skilled programmer months or years to successfully pull off this type of hack. "This is what makes this whole group gods among APT actors. We haven't seen anything close to this" before, Kamluk says. "You would have to get internal documents from the vendor," for instance.

So now that most major hard drive brands apparently have been compromised by the Equation Group-- which has not been officially identified by Kaspersky Lab but most experts say is most likely the NSA--what next?

Big-name hard drive vendors for the most part have remained mum or vague about the Equation Group findings. Neither Hitachi nor Toshiba responded to press inquiries about the firmware hack. Meanwhile, a Seagate spokesperson told Dark Reading that the company "has no specific knowledge of any allegations regarding third-parties accessing our drives."

"Seagate is absolutely committed to ensuring the highest levels of security of the data belonging to our users. For over seven years Seagate has been shipping drives offering industry-leading levels of self encryption, while putting in place secure measures to prevent tampering or reverse engineering of its firmware and other technologies," he said.

Hard drive vendors indeed could enhance the security of their drives to thwart such attacks in the future. Many of the newest ARM processors come with secure boot mode support as well as digital signatures of both the boot loader and OS kernel, Rapid7's Moore says. "Securing the ARM chips on the drive controllers isn't impossible and there are ways to make rogue firmware installation harder," he says. "Granted, there is likely a way to bypass those just like all other 'secure' boot modes and it would make flashing and diagnostics more complicated, but they could certainly improve the security, all the same."

A secure boot basically includes cryptographic checks in each stage of the boot process, which would prevent malware from running during that process.

Still, the majority of organizations won't need to worry about their hard drives getting hacked this way, security experts say. While the Equation Group hard drive hack is alarming and sophisticated, it's not likely to become a widespread threat vector, but instead used in very limited and targeted attacks. "One of the reasons you're not going to see these kinds of attacks widespread is because they are very hardware-specific," Moore says. "That effort is too high for most [attackers] intent on causing harm. Most nation-states wouldn't want to go through that much effort," either, he says.

The actual number of victims of the hard drive hack discovered by Kaspersky researchers was small, and in one case that the researchers spotted, the attack began with an infected CD-ROM disk. A scientist who had attended a conference in Houston, Texas, in 2009, received a CD-ROM from conference organizers with pictures from the event; but the disk also harbored a Trojan that later spread to one of his hard drives.

"He made a copy on a backup hard drive. Our product detected and blocked it on the external hard drive" and it was something we had not yet seen before, says Costin Raiu, head of Kaspersky's global research and analysis team, and one of the lead researchers on the Equation Group findings. The researchers were able to contact the scientist by tracking him down via his IP address, and he relayed the CD-ROM story. "It was [apparently] intercepted [by the Equation Group]… and then shipped to its final destination," Raiu says.

The key to stopping an undetectable hard drive hack is spotting the early stages of the attack, before the drive damage is done. "As amazing and covert as a lot of the Equation Group [hard drive attack] was, if you look at all of the stages, there were plenty of other components that were detectable and use the same techniques as other malware does, but people didn't piece it together," says Ryan Kazanciyan, technical director at Mandiant, a FireEye company. "Even the most covert malware has to get on the system and has the use of lateral movement. Even the best actors aren't invincible."

Kazanciyan says companies need to reduce the attackers' "funnel of operation" and make them have to work harder and up the chance of quicker discovery, he says.

The big problem, of course, is that conventional wisdom always has been that a malware-infected machine can be cleaned up after you reboot and reformat the drive. "How many years have we been told that malware on the machine can be cleaned by formatting the hard drive?" says Dan Kaminsky, chief scientist with WhiteOps Security.

Kaminsky says it's no surprise intelligence agencies would abuse the functionality of a hard drive for their own purposes. "We've known there are secret places to store data … and secret commands," he days. "Hard drives have their own operating systems, interfaces, and other places to store information. In fact, there are many places in a computer to surreptitiously place malware."

But the hacked hard drive brands have left all types of organizations vulnerable, he says. "This is part of the ongoing global conversation of the proper role of intel," he says. "A lot of businesses and military establishments just got left wide open."

With hard drives potentially silently infected, incident response and evidence collection also could be compromised, notes Mike Davis, CTO at CounterTack. "Now you can no longer take a hard drive to court and say beyond a reasonable doubt" its content is intact, he says. "It puts a massive [monkey] wrench in IR and evidence collection."

The Best Defense

Aside from taking a hammer to the hard drive, there's not much you can do to clean up a drive that's infected this way. Kaminsky recommends separating storage and execution as a way to prevent such an attack: "Stored data should never be allowed to execute code," he says.

The problem, of course, is that anti-malware doesn't scan hard drives for malware. "As long as customers are not able to check the firmware, they have to focus on preventing reaching this stage," says security expert Boldizsar Bencsath at the Budapest University of Technology and Economics'  Laboratory of Cryptography and Systems.

That means trying to stop the malware component from achieving the high level of user privileges that got the attackers so embedded and ultimately into the hard drives. And if a computer continues to get reinfected after reinstallation, that's a good clue something like a hard drive hack could be present, Bencsath says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/5/2015 | 6:55:57 AM
Re: Infected conference materials
A few years ago at DEF CON, there was a scare that the conference proceeding disk given to the press was infected with malware. I can't remember the year, or how it all got resolved (I think it may have been a hoax/rumor), but I can tell you that several reporters opted to view preso slides on DEF CON's webiste after that. =)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/4/2015 | 11:39:58 PM
Re: Infected conference materials
You know air gaps aren't failsafe when the International Space Station gets infected by an astronaut's USB stick.  ;)  (As Kaspersky reported in late 2013.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/4/2015 | 11:35:45 PM
Re: Infected conference materials
I remember, during a meeting with a manager at a client's bank, being stuck for a hard copy of a document that we needed.  I asked if we could print it off of my personal USB stick.  The banker was like, "Sure, absolutely."

Of course, it was an innocent request by an innocent actor, there was no malware involved, and everything went uneventfully.  But it occurred to me: What if I had been a hacker?  Or even an innocent person who unknowingly possessed an infected USB stick?

What bank security!
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
3/3/2015 | 1:01:43 PM
Knock on effects
Although the security concerns people have may not be that valid, the worrying part for me is what his sort of news does to the confidence people have in US businesses. Despite already big impacts on services and sales within the tech industry, the security agencies continue to push for these pretty invasive tactics when it comes to worldwide snooping. 

I don't know if the trade off is going to be worth it. Not only do these schemes cost a lot to implement, but they're costing the American (and arguably the entire Western) tech economy too. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/3/2015 | 12:31:45 PM
Re: Infected conference materials
Agree . Not only Hard Disk or USB devices, printer hacked in their firmware may give away path to the cover network, same things on CD, and other devices we have in the network such as switches, if you hacked hard disk you most likely hacked Cisco switches too.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/3/2015 | 12:27:01 PM
Re: Infected conference materials
I agree, let's not accept anything from anybody. :--)). Remember nothing is free. I do not think vendors have any incentive for having, unless somebody else forces them to do so.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/3/2015 | 12:24:57 PM
Re: Infected conference materials
I hear you. It is not only USB device problem. Any device connected any other decide is a risk to each other one way or another. They both need to be secure. If you have device at the firmware level no need to talk about security form that point forward.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/3/2015 | 12:20:46 PM
Malware in the firmware
If malware is in the firmware then it is most likely embedded into those ROM devices where it is read only unless you touch the firmware and reprogram it. Malware in firmware is a good way of hacking a system :--))
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/3/2015 | 11:35:59 AM
Re: Infected conference materials
@aws0513, you hit on a key problem of the inherent challenge of taking technology away from users once the horse has left the barn. And even if you do airgap a system, there are still risks to it, such as an infected CD-ROM or USB.
aws0513
50%
50%
aws0513,
User Rank: Ninja
3/3/2015 | 10:37:24 AM
Re: Infected conference materials
It is the classic "what is old is new again" scenario.

Moreover, the ubiquity of USB storage devices has made it very difficult to proactively mitigate USB storage device risks.

Even though it is a policy at my current employer to prohibit the use of personal USB devices, we get instances almost daily where someone attempts or asks to use one on company owned devices (classic scenario is a vendor/customer that insists that they provide their files on a USB device). 

We security conscious pros see the problem, but even trained end users still do not comprehend or have concerns regarding USB storage risks.  This is even after our training materials discuss the problem at length.

I compare it to smoking.  For years, doctors have been telling people that smoking is bad, yet there is a large section of people that continue to smoke.  Albeit USB devices do not have addictive chemicals, their utility is highly addictive.
<<   <   Page 2 / 3   >   >>
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11674
PUBLISHED: 2019-10-22
Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.
CVE-2019-12967
PUBLISHED: 2019-10-22
Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control.
CVE-2019-17189
PUBLISHED: 2019-10-22
totemodata 3.0.0_b936 has XSS via a folder name.
CVE-2019-4523
PUBLISHED: 2019-10-22
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 165481.
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.