NSA phone connections
The National Security Agency is the likeliest suspect behind the Equation Group, a small group of hackers who have launched operations against American adversaries and private companies. Reuters/Pawel Kopczynski

The U.S. National Security Agency may have been planting surveillance software into hard drives and other essential computer equipment sold around the world for more than a decade through a shadowy organization known as the Equation Group, a respected cybersecurity researcher says. The revelation, if true, indicates that operators within the NSA have been collecting far more information on the spy agency’s behalf than previously thought.

The Equation Group manipulated hard drives manufactured by Toshiba, Seagate, IBM, Western Digital and others dating back as far as 2001, researchers at the Moscow-based cybersecurity firm Kaspersky Lab said Wednesday. Equation has also proven able to reprogram a machine’s firmware, meaning that hackers were able to monitor even the most mundane activity on tens of thousands of individual PCs without their owners’ knowledge.

Privacy experts say the disclosures highlight the need for international companies to do more to protect customers from evolving threats to their online security.

Existence of the Equation Group, believed to be made up of 60 or so actors, was first revealed at Kaspersky’s annual security summit in Mexico on Feb. 16. Kaspersky on Wednesday released further information that strongly links the organization to the NSA.

The dense technical language in the Kaspersky report essentially argues that spies were able to install malicious software into computer hard drives that activate again and again each time the computer powers on.

Researchers found source code that makes reference to “STRAITACID,” “STRAITSHOOTER,” and “BACKSNARF_AB25.” Those names bear a remarkable resemblance to “BACKSNARF” and “STRAITBIZARRE,” two malware campaigns used by NSA’s Tailored Access Operations team and first revealed by former NSA contractor Edward Snowden.

Costin Raiu, Kaspersky’s lead researcher on the project, told Reuters that while the Equation Group was able to steal files on any of the infected computers, they assumed full control only of computers used by high-value targets. Disk drive firmware, which was infected in this hack, is the second-most valuable space on a computer for hackers (after a microprocessor’s input/output system), the news outlet reported.

The Equation Group appears to rely on the programs EquationDrug and GrayFish for its espionage operations.

“It’s important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules of selected victims,” stated a version of the report updated Wednesday. “The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via custom message passing interface.”

Again, Kaspersky did not officially pin the Equation Group on the NSA, but pointed out links that are hard to dismiss as coincidence.

Computers in at least 42 countries were affected by the breach, with U.S. adversaries, rivals or conflict zones including Iran, Russia, Pakistan, Afghanistan, India, China and Syria among the worst hit. Energy companies, nuclear researchers, prominent journalists, Islamic activists, military officials, high-level government officials and telecommunications companies were among the favorite foreign targets.

The NSA has not issued a response to Kaspersky’s accusations, but the Russian company has a stellar reputation among cybersecurity professionals. It was the first to reveal that a nation-state was behind the Stuxnet worm that crippled Iran’s nuclear facilities, identified the Flame malware in 2012 and has frequently been cited as one of the most reliable antivirus companies in the world.

Neither the security company Symantec, the influential cryptography expert Bruce Schneier nor the Electronic Frontier Foundation raised any substantial objections with the report. The privacy implications of the Equation Group’s activity are less clear. “On one hand, it’s the sort of thing we want the NSA to do. It’s targeted. It’s exploiting existing vulnerabilities,” Schneier wrote in a blog post when the Equation Group was first revealed.

“On the other hand, the NSA’s definition of ‘targeted’ can be pretty broad. We know that it’s hacked the Belgian telephone company and the Brazilian oil company. We know it’s collected every phone call in the Bahamas and Afghanistan. It hacks system administrators worldwide.”

The Electronic Frontier Foundation cited the Kaspersky report as an example of the need for the U.S. government to be more open about hoarding zero day vulnerabilities (security flaws that go unreported so intelligence agencies and corporations can use them as method of collecting information). “This report once again demonstrates how important it is that all companies take concrete steps to protect consumer privacy and prove they are not exposing their customers to surveillance,” the EFF wrote.