Lim Kit Siang

Spyware Embedded by U.S. in Foreign Networks, Security Firm Says

By NICOLE PERLROTH and DAVID E. SANGER
New York Times
FEB. 16, 2015

SAN FRANCISCO — The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm.

In a presentation of its findings at a conference in Mexico on Monday, Kaspersky Lab, the Russian firm, said that the implants had been placed by what it called the “Equation Group,” which appears to be a veiled reference to the National Security Agency and its military counterpart, United States Cyber Command.

It linked the techniques to those used in Stuxnet, the computer worm that disabled about 1,000 centrifuges in Iran’s nuclear enrichment program. It was later revealed that Stuxnet was part of a program code-named Olympic Games and run jointly by Israel and the United States.

Kaspersky’s report said that Olympic Games had similarities to a much broader effort to infect computers well beyond those in Iran. It detected particularly high infection rates in computers in Iran, Pakistan and Russia, three countries whose nuclear programs the United States routinely monitors.

Some of the implants burrow so deep into the computer systems, Kaspersky said, that they infect the “firmware,” the embedded software that preps the computer’s hardware before the operating system starts. It is beyond the reach of existing antivirus products and most security controls, Kaspersky reported, making it virtually impossible to wipe out.

In many cases, it also allows the American intelligence agencies to grab the encryption keys off a machine, unnoticed, and unlock scrambled contents. Moreover, many of the tools are designed to run on computers that are disconnected from the Internet, which was the case in the computers controlling Iran’s nuclear enrichment plants.

Kaspersky noted that of the more than 60 attack groups it was tracking in cyberspace, the so-called Equation Group “surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades.”

Kaspersky Lab was founded by Eugene Kaspersky, who studied cryptography at a high school co-sponsored by the K.G.B. and once worked for the Russian military. Its studies, including one describing a cyberattack of more than 100 banks and other financial institutions in 30 countries, are considered credible by Western experts.

The fact that security software made by Kaspersky Lab is not used by many American government agencies has made it more trusted by other governments, like those of Iran and Russia, whose systems are closely watched by United States intelligence agencies. That gives Kaspersky a front-row seat to America’s digital espionage operations.

The firm’s researchers say that what makes these attacks particularly remarkable is their way of attacking the actual firmware of the computers. Only in rare cases are cybercriminals able to get into the actual guts of a machine.

Recovering from a cyberattack typically involves wiping the computer’s operating system and reinstalling software, or replacing a computer’s hard drive. But if the firmware gets infected, security experts say, it can turn even the most sophisticated computer into a useless piece of metal.

In the past, security experts have warned about “the race to the bare metal” of a machine. As security around software has increased, criminals have looked for ways to infect the actual hardware of the machine. Firmware is about the closest to the bare metal you can get — a coveted position that allows the attacker not only to hide from antivirus products but also to reinfect a machine even if its hard drive is wiped.

“If the malware gets into the firmware, it is able to resurrect itself forever,” Costin Raiu, a Kaspersky threat researcher, said in the report. “It means that we are practically blind and cannot detect hard drives that have been infected with this malware.”

The possibility of such an attack is one that math researchers at the National Institute of Standards and Technology, a branch of the Commerce Department, have long cautioned about but have very rarely seen. In an interview last year, Andrew Regenscheid, a math researcher at the institute, warned that such attacks were extremely powerful. If the firmware gets corrupted, Mr. Regenscheid said, “your computer won’t boot up and you can’t use it. You have to replace the computer to recover from that attack.”

That kind of attack also makes for a powerful encryption-cracking tool, Mr. Raiu noted, because it gives attackers the ability to capture a machine’s encryption password, store it in “an invisible area inside the computer’s hard drive” and unscramble a machine’s contents.

Kaspersky’s report also detailed the group’s efforts to map out so-called air-gapped systems that are not connected to the Internet, including Iran’s nuclear enrichment facilities, and infect them using a USB stick. To get those devices onto the machines, the report said, the attackers have in some cases intercepted them in transit.

Documents revealed by the former National Security Agency contractor Edward J. Snowden detailed the agency’s plans to leap the “air gaps” that separate computers from the outside world, including efforts to install specialized hardware on computers being shipped to a target country. That hardware can then receive low-frequency radio waves broadcast from a suitcase-size device that the N.S.A. has deployed around the world. At other times the air gaps have been leapt by having a spy physically install use a USB stick to infect the adversary’s computer.

Basing its estimate on the time stamps in code, the Kaspersky presentation said, the Equation Group had been infecting computers since 2001, but aggressively began ramping up their capabilities in 2008, the year that President Obama was elected, and began doubling down on digital tools to spy on adversaries of America.

While the United States has never acknowledged conducting any offensive cyberoperations, President Obama discussed the issue in general in an interview on Friday with Re/code, an online computer industry publication, describing offensive cyberweapons as being unlike traditional weapons.

“This is more like basketball than football, in the sense that there’s no clear line between offense and defense,” said Mr. Obama, himself a basketball player. “Things are going back and forth all the time.”