A powerful cyberspying tool can tap into millions of computers worldwide through secretly installed malware, security researchers say, with many signs pointing to a US-led effort.
A report released on Monday by the Russian security firm Kaspersky Lab did not identify the source of the campaign but said it had similarities to Stuxnet, a cyberweapon widely believed to have been developed by the United States and Israel to thwart Iran’s nuclear program.
Kaspersky said the campaign “surpasses anything known in complexity and sophistication” in terms of cyber spying, and had been used at least as far back as 2001 by a team dubbed “the Equation group.”
‘The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen,” the report said.
The spying relied on a computer worm Kaspersky dubbed “Fanny,” often infecting a computer via a USB stick, and carried out at least two “exploits” to steal information from computers in the Middle East and Asia, the report said.
The evidence shows Equation and Stuxnet developers “are either the same or working closely together,” the researchers said.
The US National Security Agency, which has led a vast global surveillance effort as part of its anti-terror mission, declined to comment on any involvement in the program.
‘We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details,’ NSA spokeswoman Vanee Vines said .
Sean Sullivan at the Finnish security firm F-Secure said the Kaspersky report appears to point to an NSA division known as ANT, the subject of a 2013 report about backdoors in technology products.
‘Kaspersky’s research paper refers to a threat actor called the ‘Equation group’ whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA’s ANT catalogue,” Sullivan said in a blog post Tuesday.
The campaign was able to infect “about 2000 users per month” with victims in at least 30 countries, the report said.
The most infections were found in Iran, Russia, Pakistan and Afghanistan.
Other countries where infections were found included Syria, Kazakhstan, Belgium, Somalia, Libya, France, Yemen, Britain, Switzerland, India and Brazil.
A unique element of this campaign was its ability to install malware in computer hard drives made by major manufacturers including Western Digital, Seagate, Samsung and Maxtor, according to the researchers.
The spyware was placed in “a set of hidden sectors (or data storage) of the hard drive,” which remain in place even after a disk is reformatted or an operating system reinstalled, Kaspersky said.