Did the National Security Agency plant spyware deep in the hard drives of thousands of computers used by foreign governments, banks and other targets under surveillance abroad?
A new report from Russian cybersecurity firm Kaspersky Lab said its researchers identified malicious programs or worms that infected computers in multiple countries. Targets appeared to be specifically selected and included military, Islamic activists, energy companies and other businesses, as well as government personnel. Without naming the United States as the source of the malware, the report said one of the programs has elements in common with the so-called Stuxnet computer virus that The New York Times and Washington Post have said were developed by the U.S. and Israeli governments to disrupt Iranian nuclear facilities.
The malware was not designed for financial gain but to collect information through “pure cyberespionage,” said Kaspersky’s Vitaly Kamluk.
NSA spokeswoman Vanee Vines declined to comment, but cited a 2014 presidential directive that instructed U.S. intelligence agencies to respect Americans’ privacy while continuing to conduct overseas operations necessary to guard against terrorism or other threats.
Kaspersky researchers said some of the spyware was designed to burrow into the essential software that comes pre-installed on a computer’s disk drive, known as firmware. Once there, it could have gained access to vital codes, such as the keys to deciphering encrypted files. Kamluk said compromising firmware is a difficult technical challenge that likely requires knowledge of the manufacturer’s source code – normally a closely guarded secret.
The report named several disk-drive manufacturers whose products were compromised, including Seagate Technology, Western Digital Corp., Toshiba and IBM Corp. While some did not immediately respond to requests for comment, two companies said the report came as news to them.
“We take such threats very seriously,” Western Digital spokesman Steve Shattuck said Tuesday, adding in a statement that the company is “in the process of reviewing the report from Kaspersky Labs.”
Seagate Technology said it “has no specific knowledge of any allegations regarding third parties accessing our drives.” The company said in a statement that it’s committed to security and takes steps to prevent tampering or “reverse engineering” of its products.
One worm was designed to be invisible to traditional antivirus software. Another was spread through infected USB thumb drives, allowing it to collect information from computers that are “air-gapped” or disconnected from the internet, Kaspersky said. Air-gapping is a security practice used at nuclear plants and other sensitive facilities.
While some of the malware was transferred over the internet, the report also described what it called “classic spying methods.” In one case, scientists who attended an international conference in Houston were later sent a compact disc of conference materials by the event’s sponsor. The sponsor apparently didn’t know that the disc also contained malware, which spread into certain attendees’ computers, Kaspersky researchers said.
“A lot of nation-states are involved in these activities. Russia, China and the U.S. are in a great cyber-arms race,” said David DeWalt, CEO of the Silicon Valley cybersecurity firm FireEye. But the campaign could have unintended consequences, said security expert Bruce Schneier, who warned that other hackers may exploit the same vulnerabilities.