Unbelievably Sophisticated Spyware Infected Computers Worldwide for a Decade -- Report
If you didn't know just how advanced the National Security Agency's digital spying programs were, you will (probably) after reading this.
Edward Snowden, the ex-NSA contractor turned whistleblower, has exposed many of the U.S. signal intelligence agency's secrets over the last few years by leaking secret details of NSA initiatives to reporters. But it's the old-fashioned research of a cybersecurity company that exposed perhaps the most impressively advanced set of programs, ostensibly linked to the NSA, to date this week.
In an incredibly technical and detailed report, published on Monday by Moscow-based cybersecurity software firm Kaspersky Lab, a series of spying software programs with an unimagined level of sophistication was laid out for the public to peruse. The report detailing the advanced spyware is the culmination of years of research, and will give you an idea of just how far ahead of the "state of the art" its authors and operators are.
Undetectable & Irremovable Spyware
Everyone grapples with malware -- viruses, Trojan horses, spyware, adware, etc. -- from time to time. Vanquishing it from your computer is often a pain, and sometimes feels impossible to rid those bugs from your life.
But imagine your computer was infected with spyware so advanced, buried so deep in your hard drive that it actually takes priority over, and effectively runs, your entire operating system. Even when you boot in "safe mode" -- it's spyware as the new firmware.
That's just a taste of how advanced the malware exposed by Kaspersky Lab, and detailed in layman's terms in an excellent long-form Ars Technica report, is. And that spyware -- attributed to anonymous operators dubbed by Kaspersky as the "Equation Group" -- has been around, infecting select computers worldwide undetectably, for a decade or more.
The Equation Group spyware is believed to infect systems, at least at first, through specific interdictions of software CD-ROMs sent in the mail, which is one of the many signs (like the spyware's unbelievable sophistication, itself) that points to a powerful state actor behind it, like the NSA. Kaspersky got its copy after one or more software researchers received a CD in the mail with materials on an upcoming scientific conference in 2009. But a similar event, a mailed CD with an Oracle database installation, has been traced back as far as 2002.
According to Kaspersky, in addition to the CD-by-mail interdictions, up to 300 Internet domains host a command and control infrastructure for the bugs, and USB sticks can be used to infect "airgapped" networks and computers -- or those which, for security's sake, are not connected to the Internet.
The package of spyware worked on multiple makes and models of hard drives, and is known to be capable of compromising Windows OS, and is believed to work on OS X, and iOS devices as well. The malware would distribute files in "multiple branches of an infected computer's registry" according to Ars, using encryption and bypassing digital code-signing restrictions (i.e., common operating system security measures for any third-party software that interacts with the OS's kernel) to remain impossible to detect using any known antivirus software.
In fact, one of the most advanced elements of the "Equation Group" malware, called GrayFish, is reportedly so complex that even Kaspersky only currently understands "a fraction of its capabilities and inner workings," as Ars put it. What is known about GrayFish is that it can take an "extraordinarily" exhaustive level of control over systems it infects. As Kaspersky Labs' report put it:
When the computer starts, GrayFish hijacks the OS loading mechanisms by injecting its code into the boot record. This allows it to control the launching of Windows at each stage. In fact, after infection, the computer is not run by itself more: it is GrayFish that runs it step by step, making the necessary changes on the fly.
Meet the Authors: The "Equation Group"
According to Ars, whatever the "Equation Group" actually is, it's probably "the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware."
Both of those programs were probably the two most advanced spying software packages publicly known. That is, until this week.
Flame and Stuxnet -- two programs believed by The New York Times, The Washington Post, and others to have been written (respectively) to spy on Iran and to have successfully destroyed up to one-fifth of Iran's nuclear centrifuges (through code alone!) -- have generally been attributed to U.S. and partner intelligence agencies.
The "Equation Group," though Kaspersky didn't specify, is believed to have the same source, though the NSA declined to comment to Reuters on the matter.
But even if the well-founded suspicions that a powerful state actor like the U.S. is behind the malware, this revelation is a little different from others by Edward Snowden -- like the NSA's phone record metadata collection activities.
That's because (unless our readers are far more nefarious than we assume) the Equation Group malware probably hasn't, and will never, infect your system.
Elements of the spyware have been found widespread through the Middle East, Russia, China, India, and elsewhere. And while many infected networks, servers, and machines there and in the U.S. are likely innocent -- media, medical, university, and telecommunications systems around the world, for example, have been found to be infected, as viruses do spread -- Kaspersky observed that the sophisticated malware was designed, through several processes, to filter down to only specifically targeted end users.
For much more detail in (relatively) plain English, check out Ars Technica's report here.