Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/2/2015
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

What You Need To Know About Nation-State Hacked Hard Drives

The nation-state Equation Group compromise of most popular hard drives won't be a widespread threat, but future disk security -- and forensic integrity -- remain unclear.

The recent discovery that a nation-state hacking group had fashioned its own tools to reprogram more than a dozen major vendors' hard drives such that it could harbor malware and store stolen information in them undetected has cast a shadow over the security and reliability of these disk drives.

Most security experts weren't shocked that a nation-state was messing with hard drive firmware--hard drive attacks had been demonstrated by researchers over the past year, and it was only a matter of time before an in-the-wild attack was found. Even so, the so-called Equation Group's ability to wrest control of such a broad array of drive products was eye-opening, given the level of skill, time and financial resources such a feat required. 

"The more telling part of the Kaspersky Lab report was that the hard drive malware supported a large number of hard drive vendors. That is a lot of work to set up and test and maintain," says HD Moore, chief research officer with Rapid7.

Kaspersky Lab last month announced that it had discovered a leading-edge nation-state group, which it dubbed the Equation Group, that among other things had built malware modules that can reprogram hard drive brands, ensuring that the malware remains undetected by antivirus software and that even if a hard drive is reformatted or the operating system is reinstalled, the malware can't be eradicated. The attackers could also swap one drive sector with a malware-infected one, and use the drive to store stolen information, for example.

Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab, contends that it would take a skilled programmer months or years to successfully pull off this type of hack. "This is what makes this whole group gods among APT actors. We haven't seen anything close to this" before, Kamluk says. "You would have to get internal documents from the vendor," for instance.

So now that most major hard drive brands apparently have been compromised by the Equation Group-- which has not been officially identified by Kaspersky Lab but most experts say is most likely the NSA--what next?

Big-name hard drive vendors for the most part have remained mum or vague about the Equation Group findings. Neither Hitachi nor Toshiba responded to press inquiries about the firmware hack. Meanwhile, a Seagate spokesperson told Dark Reading that the company "has no specific knowledge of any allegations regarding third-parties accessing our drives."

"Seagate is absolutely committed to ensuring the highest levels of security of the data belonging to our users. For over seven years Seagate has been shipping drives offering industry-leading levels of self encryption, while putting in place secure measures to prevent tampering or reverse engineering of its firmware and other technologies," he said.

Hard drive vendors indeed could enhance the security of their drives to thwart such attacks in the future. Many of the newest ARM processors come with secure boot mode support as well as digital signatures of both the boot loader and OS kernel, Rapid7's Moore says. "Securing the ARM chips on the drive controllers isn't impossible and there are ways to make rogue firmware installation harder," he says. "Granted, there is likely a way to bypass those just like all other 'secure' boot modes and it would make flashing and diagnostics more complicated, but they could certainly improve the security, all the same."

A secure boot basically includes cryptographic checks in each stage of the boot process, which would prevent malware from running during that process.

Still, the majority of organizations won't need to worry about their hard drives getting hacked this way, security experts say. While the Equation Group hard drive hack is alarming and sophisticated, it's not likely to become a widespread threat vector, but instead used in very limited and targeted attacks. "One of the reasons you're not going to see these kinds of attacks widespread is because they are very hardware-specific," Moore says. "That effort is too high for most [attackers] intent on causing harm. Most nation-states wouldn't want to go through that much effort," either, he says.

The actual number of victims of the hard drive hack discovered by Kaspersky researchers was small, and in one case that the researchers spotted, the attack began with an infected CD-ROM disk. A scientist who had attended a conference in Houston, Texas, in 2009, received a CD-ROM from conference organizers with pictures from the event; but the disk also harbored a Trojan that later spread to one of his hard drives.

"He made a copy on a backup hard drive. Our product detected and blocked it on the external hard drive" and it was something we had not yet seen before, says Costin Raiu, head of Kaspersky's global research and analysis team, and one of the lead researchers on the Equation Group findings. The researchers were able to contact the scientist by tracking him down via his IP address, and he relayed the CD-ROM story. "It was [apparently] intercepted [by the Equation Group]… and then shipped to its final destination," Raiu says.

The key to stopping an undetectable hard drive hack is spotting the early stages of the attack, before the drive damage is done. "As amazing and covert as a lot of the Equation Group [hard drive attack] was, if you look at all of the stages, there were plenty of other components that were detectable and use the same techniques as other malware does, but people didn't piece it together," says Ryan Kazanciyan, technical director at Mandiant, a FireEye company. "Even the most covert malware has to get on the system and has the use of lateral movement. Even the best actors aren't invincible."

Kazanciyan says companies need to reduce the attackers' "funnel of operation" and make them have to work harder and up the chance of quicker discovery, he says.

The big problem, of course, is that conventional wisdom always has been that a malware-infected machine can be cleaned up after you reboot and reformat the drive. "How many years have we been told that malware on the machine can be cleaned by formatting the hard drive?" says Dan Kaminsky, chief scientist with WhiteOps Security.

Kaminsky says it's no surprise intelligence agencies would abuse the functionality of a hard drive for their own purposes. "We've known there are secret places to store data … and secret commands," he days. "Hard drives have their own operating systems, interfaces, and other places to store information. In fact, there are many places in a computer to surreptitiously place malware."

But the hacked hard drive brands have left all types of organizations vulnerable, he says. "This is part of the ongoing global conversation of the proper role of intel," he says. "A lot of businesses and military establishments just got left wide open."

With hard drives potentially silently infected, incident response and evidence collection also could be compromised, notes Mike Davis, CTO at CounterTack. "Now you can no longer take a hard drive to court and say beyond a reasonable doubt" its content is intact, he says. "It puts a massive [monkey] wrench in IR and evidence collection."

The Best Defense

Aside from taking a hammer to the hard drive, there's not much you can do to clean up a drive that's infected this way. Kaminsky recommends separating storage and execution as a way to prevent such an attack: "Stored data should never be allowed to execute code," he says.

The problem, of course, is that anti-malware doesn't scan hard drives for malware. "As long as customers are not able to check the firmware, they have to focus on preventing reaching this stage," says security expert Boldizsar Bencsath at the Budapest University of Technology and Economics'  Laboratory of Cryptography and Systems.

That means trying to stop the malware component from achieving the high level of user privileges that got the attackers so embedded and ultimately into the hard drives. And if a computer continues to get reinfected after reinstallation, that's a good clue something like a hard drive hack could be present, Bencsath says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/3/2015 | 7:04:50 AM
Re: Infected conference materials
Seriously! It's kind of the oldest trick in the book (of course, 6 years ago, it was a relatively new trick). 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/3/2015 | 5:45:45 AM
Infected conference materials
Stories like these make me paranoid to ever again accept a flash drive from a vendor at a conference!
<<   <   Page 3 / 3
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
CVE-2019-6824
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.