Nearly a decade before Stuxnet and Flame were household words, malware that has some genetic similarities was infecting computers in targeted regions across the globe stealthily burrowing itself into hard disks and flash drives.
That was the topic of a report presented by Kaspersky Lab researchers at the group’s annual summit in Cancun, Mexico. Kaspersky Lab said that the malware is some of the most advanced it has ever seen, and has traced back its origins to as early as 2001. Resarchers from Kaspersky Lab have given the organization behind the malware platform the same “the Equation Group” (likely because of its preference for mathematically complex attacks) and the actual software names like EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish.
“The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen,” Kaspersky Lab said in its report.
Out of the toolset discovered by Kaspersky Lab researchers, two items stand out for their complexity: Fanny and GrayFish.
According to researchers the purpose of Fanny is to map out air gapped networks, and allow for malicious commands sent from a master server to run on these networks.
The bridge between the air gapped network and the internet is a USB stick with crippled firmware and a hidden storage volume. The name Fanny comes from a file, Fanny.bmp that has been found in all infected USB drives. The report says that the majority of these USB drives were found in the Middle East. Around the world the infected USB drives were found in 30 different countries.
The other highlight of the malware discovered is GrayFish. GrayFish is able to burrow itself in the firmware of HDDs and SSDs. Deep rewrites and formatting of the drive do nothing to remove the malware and it’s stuck in the firmware of the drive itself. The only way to destroy GrayFish is to destroy the drive itself. Kaspersky said that the malware has been discovered in the firmware of 12 major manufactures of HDDs and SSDs.
Kaspersky Labs doesn’t directly suggest that the malware suite is the product of efforts by the NSA, but say that it’s definitely the outcome of efforts by a highly advanced electronic intelligence organization.
In 2012 Wired magazine published an interesting feature, outlining the relationship between the founder of Kaspersky Labs and Russian intelligence services. It’s worth a read considering the group’s report.