The U.S. National Security Agency can hide spy software in the hard drives of top hardware manufacturers, allowing the agency to monitor the majority of the world’s computers, according a new report published on Monday by Russian researchers.
The NSA’s spy programs can function in disk drives sold by more than a dozen companies, which means just about every computer on the market vulnerable to eavesdropping. Kaspersky Lab, a Moscow-based security software maker, discovered that implants could be placed by what it called the “Equation Group,” a reference to the NSA. The finding was confirmed by Reuters via a former NSA employee.
The list of manufacturers includes the Cupertino-based Seagate in addition to Western Digital, Toshiba Corp, IBM and Samsung Electronics. Micron Technology, which recently announced a strategic partnership with Seagate, was also listed.
The report may affect sales of U.S.-based technology, especially in China which has plans to regulate banking software by requiring copies of code be provided for inspection. Some tech companies named in previous rounds of NSA spying disclosures said their overseas sales had suffered but none have pointed to that as a reason for lower revenue in earnings reports.
According to the Kaspersky report, NSA spies discovered how to hide malicious software in the firmware, which launches each time a computer is turned on. Disk drive firmware is seen by cybersecurity experts as the second-most vulnerable area on a computer, second only to the BIOS code, which invades as a computer boots up.
Russian researchers found 30 personal computers infected with one or more of the spying programs. The majority of the infections were discovered in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. Targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media and Islamic activists.
The report comes just days after the cybersecurity summit at Stanford University where President Barack Obama and major U.S. tech firms addressed best practices to head off cyber threats. During the summit, Obama signed an executive order encouraging greater cooperation with tech companies to share information regarding hacking attempts and data breaches.
Though it remains to be seen if the companies named in the Kaspersky report take countermeasures to protect their products from government hackers, the latest report can’t bode well for the trust level between Washington D.C and Silicon Valley.
— source bizjournals.com