The United States’ National Security Agency (NSA) is being blamed for hiding spying software in the firmware of hard drives from more than a dozen HDD manufacturers.
This includes hard drives from Western Digital, Seagate, and Toshiba.
According to Reuters this spyware provides the NSA with the ability to eavesdrop on the majority of the world’s computers.
Kaspersky Lab said that its Global Research and Analysis Team (GReAT) has recovered two modules which allow reprogramming of the hard drive firmware.
Kaspersky Lab said this is the first known malware capable of infecting the hard drives.
By reprogramming the hard drive firmware (rewriting the hard drive’s operating system), two goals are achieved:
- An extreme level of persistence that helps to survive disk formatting and OS reinstallation. If the malware gets into the firmware, it is available to “resurrect” itself forever. It may prevent the deletion of a certain disk sector or substitute it with a malicious one during system boot.
- The ability to create an invisible, persistent area hidden inside the hard drive. It is used to save exfiltrated information which can be later retrieved by the attackers.
Costin Raiu, director of GReAT at Kaspersky Lab, warned that once the hard drive gets infected with this malicious payload it is impossible to scan its firmware.
“To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware,” he said.
“Also, in some cases it may help the group to crack the encryption. Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” said Raiu.