How did the Equation group virus get on to our hard drives?

A report released by Kaspersky Lab last week detailing a shadowy organisation they call “Equation” has sent shockwaves through the security community. According to Kaspersky’s findings, millions of PCs have been “infected” with a form of malware, which affects the BIOS built into the physical hardware.

Unlike most computer viruses however, there is no way to remove the Equation malware because it loaded before any operating system can be booted. The application then creates a hidden hard drive sector for storing stolen data or new commands from the third party controlling the system. Even if the hidden disk partition is detected and deleted, the virus simply recreates the partition next time the PC is started.

A completely unremovable virus

Although hard drive BIOS can usually be upgraded or re-flashed, some sectors remain inaccessible to users to prevent them “bricking” their unit. Kaspersky Labs found that the virus often uses the persistent, unflashable sections of BIOS, preventing the malware from ever being deleted successfully. In most cases, the only way to get rid of the virus is to replace the drive entirely.

The sophistication of the malware, and its similarities to the Stuxnet virus has led many to conclude that Equation is funded or operated by America’s National Security Agency (NSA). The only statement issued by the NSA has admitted that the agency is aware of Equation, but declined to comment further – particularly when pressed about responsibility for engineering the virus.

Equation – it’s prevalence is a surprise

Although the effects of Equation are dramatic – for instance, the ability to cross to disconnected, secure networks to steal data – it is the actual presence of the BIOS malware that is most puzzling. Kaspersky Labs claim to have found Equation malware on drives manufactured by Western Digital, Hitachi, Seagate, Samsung, Toshiba and IBM, all of whom use different BIOS technologies and safeguards to control their disks.

Writing viruses to firmware in this way can only have feasible occurred in one of two ways:

• The infection first took place on the production line, with Equation code being introduced into the BIOS at the time the hard drive was assembled.
• The virus was transmitted using traditional methods (webpage exploits, infected email attachments, compromised USB keys, etc.) and used proprietary BIOS write methods to access the protected BIOS storage.

How was it installed?

In order to install malware at the source, the Equation group would need to gain access to secure systems where BIOS firmware code is stored. They could then overwrite official code with their own in readiness for the disk manufacturing process.

To do this, a hacker would need to:

• Crack the secure network and access code stores directly.
• Use social engineering techniques to trick an authorised user into compiling malware code into the final BIOS release.
• Paying a user to do the same.
• Securing assistance from the manufacturer to install malware code willingly – the sort of agreement that only government agencies could secure.

Any of these techniques is feasible, particularly as the majority of affected manufacturers have not been particularly quick to deny involvement.

Were the Equation malware transmitted using more traditional techniques, there still remains the problem of how the protected firmware sectors were accessed. Information about the protected API is not publicly available and requires specialist knowledge from within the manufacturer. Again, there are a few explanations:

• Equation members managed to steal the API details direct from each manufacturer.
• Equation paid an inside source for the information.
• Manufacturers were complicit in sharing the information.

Paying for industrial secrets this sensitive would have cost a vast sum of money – way beyond the means of most hacker collectives and cybercriminal gangs. Again, the implication seems to be that hard drive manufacturers were compromised directly, or that a nation state is behind Equation.

A long term puzzle

But most puzzling of all is the apparent age of the Equation malware. Kasperky’s analysis of the virus tracks back to several domains, some of which have been active since 1996. From this, security researches estimate that Equation may have been using techniques like these to compromise hard drive security and steal data for nearly 20 years. Being that hard drive technology has changed significantly in that period, it would seem that Equation have been working hard to stay on top of the secret protocols that cover hard drive BIOS firmware.

Clearly Equation has been built by some very clever hard drive engineers, but the “how” of the infection is almost as hard to explain as the why.

Image credit: What You Need to Know About ‘Equation Group,’ the Scariest Cyber-Espionage Group Ever