Could the NSA turn your hard drive into a cyber spy?

Picture illustration.

Picture illustration.  (REUTERS/Pawel Kopczynski )

Security researchers at Kaspersky Lab have unearthed malware that can place spying software in hard drives, fueling suspicion that the National Security Agency may be behind a new breed of cyber espionage technology.

One of an arsenal of tools created by a shadowy collection of hackers dubbed “the Equation Group,” on account of their sophisticated encryption algorithms, the malware has prompted fears of widespread computer eavesdropping.

“It allows them to reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM,” explained Russian security company Kaspersky Lab, in a blog post. “This is an astonishing technical accomplishment and is testament to the group's abilities.”

While Kaspersky Lab’s report, which came out on Monday, does not name the NSA, it does note links between the Equation Group and the developers of the Stuxnet worm. Stuxnet, which crippled Iran’s nuclear production in 2010, was said to be a joint U.S./Israeli effort.

A former NSA employee told Reuters that people within the intelligence agency valued spying programs such as the ones discovered by Kaspersky Lab on a par with Stuxnet. Reuters also cited another former intelligence operative who confirmed that the NSA had developed the technique of hiding software in hard drives, but said he did not know which spy efforts are using it.

The NSA declined to comment on the Kaspersky Lab report.

“We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details,” explained a spokeswoman, in a statement emailed to

Nonetheless, the report has thrust the NSA into the cyber-snooping spotlight at a time of increasingly sophisticated cyber threats.

In its report, Kaspersky Lab described the Equation Group’s efforts as the “death star” of the malware galaxy.

Since 2001, the Equation Group has been busy infecting thousands, or perhaps even tens of thousands of victims throughout the world, according to the security researchers. Sectors affected include government, military, media, nuclear, financial institutions, and Islamic activists and scholars, it said.

Kaspersky Lab has identified the group’s victims in more than 30 countries, with Iran and Russia experiencing the highest infection rates.

The group is using more than 300 Internet domains and over 100 servers, which are hosted in multiple countries, including the U.S., the U.K., Italy, Germany, Panama, and the Czech Republic. The domains appear to have been registered through “domains by proxy” to mask the registrant’s identity, according to Kaspersky Lab.

Kaspersky Lab told that the Equation Group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication.

Regin is what is known as a backdoor Trojan, which lets an attacker gain access, or send commands to, a compromised computer. Like Stuxnet, Regin loads onto a targeted computer in stages – it can also be customized to specific targets. In November security specialist Symantec said that Regin has been spying on governments and businesses since 2008, describing the malware as a “top-tier espionage tool,” which enables “stealthy surveillance.”

Michela Menting, cybersecurity practice director at the tech analyst firm ABI Research, told that, with over a decade to refine its methods, the Equation Group may have other cyber tools in its arsenal that are still unknown. "But there’s less of a taboo  now about revealing activities of such groups," she added, noting that we will likely hear more news about the likes of the Equation Group.

A spokesman for Western Digital told that, prior to the Kaspersky Lab report, the company had no knowledge of the described cyber-espionage program.

“We take such threats very seriously,” he said, in an email. “The integrity of our products and the security of our customers’ data are of paramount importance to us.”

“We are constantly evaluating how we can better protect the integrity of our drives and customer data,” he added. “We are in the process of reviewing the report from Kaspersky Labs and the technical data set forth within the report.”

A spokesman for Seagate, which also owns the Maxtor brand, told that the company “has no specific knowledge of any allegations regarding third-parties accessing our drives.”  

“Seagate is absolutely committed to ensuring the highest levels of security of the data belonging to our users,” he added, in an email. “For over seven years Seagate has been shipping drives offering industry-leading levels of self encryption, while putting in place secure measures to prevent tampering or reverse engineering of its firmware and other technologies.”

A spokesman for Toshiba told that the company had no knowledge of the spying programs.

IBM has not yet responded to a request for comment on this story from

This story has been updated with comments from Toshiba and ABI Research's Michela Menting.

Follow James Rogers on Twitter @jamesjrogers