Kaspersky Lab says NSA hacked all manufacturers firmware...

[bcometa]

http://www.reuters.com/article/2015/02/ ... ce=twitter

further reading here:
http://25zbkz3k00wn2tp5092n6di7b5k.wpen ... nswers.pdf

[bcometa]

Section 10 of second link may be most interesting for hdd gurus.

[digitalferret]

Interesting read, well posted.

Orwell was indeed an optimist

[HaQue]

reading this, you realise how screwed the general population is.

For the few that would even bother to listen to someone describe what is in play and the tools.. only about 1/2 would even believe it. the other half.. well what are those 3 people going to do? These "Internet veapons" are incredible

[data-medics]

Well, that certainly explains why the number of modules in new WD drives has shot up so quickly and we still don't know what half of them are.

They had to hide their remote access software somewhere.

[Alt(R-TT)]

They need to infect a computer with a virus to start getting info from it. But why do they need to hack HDD if they already got a total control over the computer? To bypass drive's hardware encryption?

[guru]

Hacking HDD firmware is pretty simple....

[bcometa]

They need to infect a computer with a virus to start getting info from it. But why do they need to hack HDD if they already got a total control over the computer? To bypass drive's hardware encryption?

So that even after a full OS reinstall or reformat of hard drive, the virus still remains. The only solution when infected would be a completely new hard drive.

[fzabkar]

Hacking HDD firmware is pretty simple....

Hard disk hacking:
http://spritesmods.com/?art=hddhack

[HaQue]

They di it for persistence as previously mentioned, and also to evade standard detections. This also bypasses a lot of standard AV and Anti-Malware mitigations, and if undetected can be a workhorse for them for years.

@guru .. they didn't just hack HDD's, they wrote a complet mass pwnage suite that has spanned a decade and is virtually for the most part undetectable except for researchers with the time and backing to hunt them down and autopsy them.

difference between being able to drive a car, and creating a formula1 team that wins for 10 years straight.

[Dmitri]

Custom firmware-level interactions with data isn't something totally exclusive.
Namco develops custom HDD firmware for their game machines. When you try to connect the hard drive from such machine to a computer and create sector-by-sector copy of it, firmware wipes the header of encrypted LUKS partition, so nobody will be able to run the game again.

[guru]

I'm just trying to point out that hacking and patching HDD firmware is not as hard as "Kapersky" says it is.

If you are high up in the chain of command within government expect your toaster/oven/fridge/dishwasher/PVR/DVR/HIFI/Barbie(or Ken)/pet dog or cat to be monitoring your every move!

[HaQue]

I'm just trying to point out that hacking and patching HDD firmware is not as hard as "Kapersky" says it is.

If you are high up in the chain of command within government expect your toaster/oven/fridge/dishwasher/PVR/DVR/HIFI/Barbie(or Ken)/pet dog or cat to be monitoring your every move!

I am not sure I read that they said it was hard, but I agree with you it isn't rocket science. We have all probably disassembled code used debuggers and played with embedded systems. There probably is enough information in the public domain to get something working.

The bit that would be harder is to develop the whole suite, getting all the moving parts working as you want, keeping it as undetectable as possible, making sure the self destructs work properly, working with files that are not files, getting it deployed to the vast infrastructure, monitoring it and acting on what is collected etc..

so I agree with your point, it isn't THAT hard, but to focus on the HDD Hacking only is a mistake in my opinion.

I am willing to bet though, if one of us were to try to mirror the HDD hacking alone, with as far a reach as what "they" did.. well there is quite a few damn long nights

[guru]

I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment."

[Keatah]

While none of this is surprising, it is disheartening. Especially that it has gone on for so long without revelation to the public.

[HaQue]

I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment."

Not hard at all.

You just buy something like a PC-3000 or salvation or you study the DR forums and you get the vendor specific commands. You can get a WDR software and it will send commands to the drive and get the firmware out of it.

Now you just code your virus in a way that it includes a driver to send those commands and "patch" the firmware the way you want it.

That "edited" or patched firmware just have to "exploit" some windows bug or somehow auto.-execute code on windows when you connect that drive to the machine.

You can even do better. I can see a way that a "hacker" would just put some code on SA/hidden LBA and then "swap" the first LBAs of the drive whit the content of the "edited" or hacked master boot record, putten there a virus pointing to another place on the drive that couldn't be accessed by LBA.

What can be done with this just depends of imagination.

Same apply to DVD/CD burners, or any other hardware.

ok Spildit, now you have reproduced about 1% of effort on the malware campaign.. just need to work on the deployment, all the other drive vendors, infiltration, windows and Linux, scada etc 0-days etc etc.

as I said, concentrating on the fact the "hacked a hard drive" is very wrong in my opinion!
cheers mate

[Alt(R-TT)]

I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software."

For a Windows programmer. For a microcontroller programmer, hard drive reprogramming is much easier than writing Windows software.

Ok. I wonder how that hacked software gets out from the disk and starts its job when a new system has been installed. Writing its code to a loader? But that will work not even for all Windows versions.

[HaQue]

I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software."

For a Windows programmer. For a microcontroller programmer, hard drive reprogramming is much easier than writing Windows software.

I agree somewhat. These guys probably did not have to go to work or spend a great deal of time with family. They probably were able to say to another team or part of a team.. " I need this piece of information, specs, documents" etc and they would get it. When you have the resources, the difficulty is not an issue. doesn't matter how "hard" it is, it is just a matter of time. I believe the focus here is all wrong. we shouldn't be focusing on how hard it is or if hacking HDDs are really that elite.. but the whole picture. A group of people were able to go into whatever computer system they wanted, in whatever part of the world they wanted, steal whatever they want, embed themselves in there to infect again if cleaned.. without really any detection, probably little oversight.

For this to be culminating in a whitepaper, a few crappy news articles that basically quote a couple of lines from the whitepaper, and a small bickering over how hard hacking a hard disk is - well this amazes me. ask 100 people in a week what they remember about a group that can go wherever they please and one part is hacking hard drives.. I bet you get 100 crickets chirping.

If spam, cybercriminals with all sorts of money making schemes, cryptolocker, facebook/instagram/etc.. didn't already destroy any trust in the internet.. then groups like the dubbed "Equation group" have.

Tell me..what is anyone going to do about it? make more laws??.. these people don't give a shit about the law. Track them down?? and do what? probably some US Govt agency with some warped view on protecting the states from TeRRism. Have better computer security?? yea sure, like that has done anything to help in the past.

The silver lining is I enjoy reading the write-ups people like the Kaspesky team do, these are smart guys and it must be awesome to work there and have an inside view of all these shenanigans.

Ok. I wonder how that hacked software gets out from the disk and starts its job when a new system has been installed. Writing its code to a loader? But that will work not even for all Windows versions.

That's why the stuff is extremely targeted. I have heard a few interviews now with Kaspersky researchers and InfoSec people. If you won the jackpot and got a hard disk infection, you were special and I bet there were hands running through each step of the pwnage. This malware was not just Pwn and exfil data back to a CnC server.. this had many modules and looks like a few were manually operated.

parts of the malware were quite targeted, such as if you visited an infected site with an iPhone (only iPhone and not iPad) you were redirected to a site where extra effort was made to not pop any HTML errors.

I think the sophistication, depth, spread of this is overshadowed by the mention of Hard Drive hacking.

A good insight is the digital underground podcast number 186 http://threatpost.com/costin-raiu-on-the-equation-group-apt/111169 "Dennis Fisher talks with Costin Raiu of the Kaspersky Lab GReAT team about the researcher behind the Equation Group campaign, the group’s capabilities and why they seem to have gone dark now."