Bangladesh Targeted Too!

Last week Kaspersky Lab unveiled the predecessor of Stuxnet and Flame – a potent threat actor called Equation Group. The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming hard disk drive firmware. This 'outstandingly professional' group has been in play for more than a decade- experts say. Though Kaspersky Lab wasn't able to pinpoint the origin but security experts have pointed their fingers toward an American Intelligence Agency with prior history. Nearly 30+ countries were attacked or infected by this group including Bangladesh. We got in touch with Igor Soumenkov Principal Security Researcher; Global Research & Analysis Team, Kaspersky Lab Moscow. Igor, a virus analyst and malware expert, shares his concern with The Daily Star.

How did you first discover the malwares and how did Bangladesh come under your radar? And also how long has this been going on, particularly in Bangladesh (BD).

We discovered one of the first EQUATIONDRUG modules during our research into the Regin nation-state APT operation. Somewhere in the Middle East, there is a computer we are calling the "The Magnet of Threats" because in addition to Regin, it was also infected by Turla, ItaDuke, Animal Farm and Careto/Mask. When we tried to analyze the Regin infection on this computer, we identified another module which did not appear to be part of the Regin infection, nor any of the other APTs.

Further investigation into this module led us to the discovery of the EQUATIONDRUG platform.

Unfortunately, we don't have such level of details re-information on Bangladesh victims.

How can the general people check if their computers have been infected?

Our products have detection for the malware used in the attacks - the user may scan his computer to check it. Also we have publicly provided indicators of compromise which also should help detect the threat.

Are the infections limited to computers only or other smart devices- phones, tabs etc.

All the malware we collected so far is designed to work on Microsoft's Windows operating system. However, there are signs that non-Windows malware does. For instance, one of the sinkholed command-and-control domains is currently receiving connections from a large pool of victims in China that appear to be Mac OS X computers (based on the user-agent).

The malware callbacks are consistent with the DOUBLEFANTASY schema, which normally injects into the system browser (for instance, Internet Explorer on Windows). This leads us to believe that a Mac OS X version of DOUBLEFANTASY also exists.

Additionally, we observed one of the malicious forum injections, in the form of a PHP script, takes special precautions to show a different type of HTML code to Apple iPhone visitors. Unlike other cases, visitors from Jordan, which do not get targeted, iPhone visitors are simply redirected to the exploit server, suggesting the ability to infect iPhones as well.

What are the possible countermeasures?

We suggest individuals and companies to use modern Internet Security solution (many of attacks against our users were not successful due to Automatic Exploit Prevention technology which generically detects and blocks exploitation of unknown vulnerabilities) and to timely update their software not to get infected with help of the exploits for old zero-day vulnerabilities.

Since these are no more considered as zero day exploit, what could be the next move?

We don't know. And taking into account that we don't see any activity of the group starting from the end of 2013, they may have already found the way how to hide better and work stealthier. And this is scary.

Does Kaspersky think hardware companies cooperated with Equation Group to provide access to the source codes/firmware codes?

We don't know how the group got access to the firmware source code. But we doubt it was a case of cooperation.

You commented on several media that the only solution to the Equation Group threat is destroying the hard drive. Is there any other way to combat that?

First of all, the HDD firmware reprogramming module is extremely rare. It is probably only kept for the most valuable victims or for some very unusual circumstances. In case if a user has nothing to do with some extra-secret research or things like this, the chances that his HDD firmware is infected are close to zero. That was a good thing.

And the bad thing is that there is no way to understand whether a HDD is infected. Once the hard drive gets infected with this malicious payload, it's impossible to scan its firmware. To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.

So yes, if you think that your HDD firmware is infected, the only solution for now is to physically destroy the hard drive.