Hard Drive Malware Hack Opens A Pandora's Box, But Storage Vendors Have Been Closed Off On The Implications

Storage vendors are refusing to acknowledge what steps they will take in the wake of the blockbuster revelation that a secretive organization with alleged ties to the U.S. National Security Agency is behind a move to secretly install malware in the firmware of hard drives from major vendors.

An organization called the Equation Group has hidden software in the firmware of an untold number of hard drives that can retrieve data on the drive and possibly deliver malicious payloads, according to Moscow-based Kaspersky Lab. With the malware hidden in the hard drive firmware, there are no known tools -- except maybe a hammer -- that can prevent it from carrying out its task.

Kaspersky released its report revealing the threat on Feb. 16, and called the Equation Group a "threat actor that surpasses anything known in terms of complexity and sophistication of techniques."

Given the complexity of the malware, Kaspersky said there is no certainty that what the Equation Group has done will lead to a widespread attack on customers' storage systems or data. Even so, the news has huge implications for the storage industry, the biggest consumer of hard drives, as it points the way for other organizations -- or governments -- who may be interested in just such an attack.

No one has accused storage system vendors of working with the Equation Group. However, none of the vendors addressed CRN inquiries regarding how they could make sure such malware is not included in future shipments, whether it is possible to remove the malware from units installed in the field, or how they would communicate with customers regarding the potential threat.

None of the five top storage vendors, including EMC, Hewlett-Packard, Hitachi Data Systems, NetApp and Dell, would comment on any of the report's implications.

The sounds of silence are in sharp contrast to the protests from Dell and Cisco Systems when news broke last year that a special unit within the NSA had been planting backdoors in computing and networking hardware from major U.S. vendors, including those two companies.

At the time, Cisco CEO John Chambers wrote a strongly worded letter to President Barack Obama urging him to issue new rules that protect customers from the NSA putting spyware into computer equipment.

Kaspersky did not say who was behind the Equation Group but said the organization appears to have interacted with "other powerful groups" including the designers of the Stuxnet malware, a connection that implies a tie with the NSA, according to numerous media reports including Reuters.

Kaspersky was unable to respond to a CRN request for more information.

In a move Kaspersky described as "ultimate persistence and invisibility," the company's Global Research and Analysis Team (GReAT) recovered two modules of codes that allowed the reprogramming of hard drive firmware in most popular hard disk drives, making it the "first known malware capable of infecting the hard drives."

Those modules allow data to be "exfiltrated" from a user's storage system to space secretly carved out on the drive, where it can sit until retrieved by the hackers. The malware also appears to be able to crack encryption technology around the data. (See the sidebar accompanying this story for more technical details on the malware.)

The malware impacts hard drives from the industry's top three manufacturers including Seagate, Western Digital and Toshiba, as well as from several brands that were later acquired by those three including Maxtor and IBM, Kaspersky said.

A Seagate spokesperson responded to a CRN question about the revelations via email with a statement that read: "Seagate has no specific knowledge of any allegations regarding third parties accessing our drives. Seagate is absolutely committed to ensuring the highest levels of security of the data belonging to our users. For over seven years Seagate has been shipping drives offering industry-leading levels of self-encryption, while putting in place secure measures to prevent tampering or reverse-engineering of its firmware and other technologies."

A Western Digital spokesperson responded via email with a statement that read: "On Monday, February 16, Kaspersky Lab published a research report about an advanced cyber-espionage program, in which the products of multiple storage device manufacturers, including from WD and HGST, were identified. Prior to the report, we had no knowledge of the described cyber-espionage program. We take such threats very seriously. The integrity of our products and the security of our customers' data are of paramount importance to us.

"We are constantly evaluating how we can better protect the integrity of our drives and customer data. We are in the process of reviewing the report from Kaspersky Lab and the technical data set forth within the report."

Storage vendors were even less forthcoming in their responses to the hard drive firmware hack.

An EMC spokesperson, in response to a query from CRN, responded via email with a statement that read, "It's longstanding policy that EMC doesn't comment on rumor or speculation. What we can say is that EMC does not manufacture hard disk drives and, as such, has no knowledge of the alleged spyware program."

A Hewlett-Packard spokesperson responded via email that HP has no information to add to CRN's story.

Spokespersons from NetApp and Dell replied via email that they would check into the issue, but did not respond further. Hitachi Data Systems did not respond to a request for more information.

Concerns about the possibility that an agency such as the NSA could quietly install undetectable malware in the firmware of hard drives was first highlighted by online tech news source MIT Technology Review, which reported that such a capability was actually demonstrated in 2013 and 2014 with both hard drives and USB sticks.

"That raises the prospect that multiple national intelligence agencies -- and perhaps even groups without government backing -- could be using the technique. Few, if any, security researchers are on the lookout for such attacks because they are essentially invisible,: MIT Technology Review reported.

This has gone from being a security issue to being a storage issue, said Jamie Shepard, regional and health systems senior vice president at Lumenate, a Dallas-based solution provider with strong storage and security practices.

All hard drives ship with a certain amount of capacity that cannot be seen as a result of formatting, Shepard told CRN. For instance, a hard drive with a raw capacity of 600 GB may only have 538 GB of usable capacity. "The rest of the capacity is hidden," he said. "You can reformat the drives, but the next time you boot up the system, the usable capacity is the same."

Customers, especially those in Lumenate's health-care business, are more likely to encrypt data on the drive and over the network. Data that is encrypted by a storage controller, which is how EMC handles it, is probably less likely to be accessed by such malware than data encrypted at the drive, Shepard said. "This limits the risk, but doesn't eliminate it."

Large customers are throwing millions of dollars at technology to find risks, and often end up with a false sense of security, Shepard said. Lumenate has responded with its own Breach Information Event Management service, in which company personnel look at potential issues with customers' data. Shepard said this offers protection from malware above any unsupervised technology.

Jan Baldwin, CEO of Nth Generation, a San Diego-based solution provider, said there is still so much about the Equation Group hack that is unknown.

"It's getting harder to say who are the good guys and who are the bad guys," Baldwin told CRN.

CIOs who have heard of the hack really don't know what to do even if they know a hard drive has such malware, Baldwin said.

"This certainly leads to more distrust of the NSA," she said. "Encryption is only secure up to a certain level. It's scary."

Andy Kretzer, director of sales and marketing at Bold Data Technology, a Fremont, Calif.-based custom system builder, told CRN via email that he has yet to fully digest the importance of the Kaspersky report.

"I haven't seen it said at what point the spyware was introduced to the hard drives ... just that it is embedded in the drives' firmware. Customers have not asked about this yet and I don't anticipate getting many questions on it. We have not heard yet from any [hard disk drive manufacturers] regarding this news. Hard drive firmware is one of many attack vectors in a system, so while I was unaware of this, I am not surprised," Kretzer wrote.

Todd Swank, senior director of product marketing at Minneapolis-based Equus Computer Systems, told CRN that customers have yet to ask about the malware.

"Maybe people are now used to being spied on," Swank said. "It's creepy."

The response to the malware will have to come from the hard drive manufacturers, Swank said. "For now, it's hard to see how the system and storage manufacturers could be at fault," he said. "But it's pretty crazy to think someone has been able to spy on us all this time."

Despite the potential impact on the storage industry, however, Kaspersky warned against panicking.

In a blog post after the release of the news about the Equation Group, Serge Malenkovich, deputy head of social media at Kaspersky, wrote that the Equation Group has probably used the malware only a few times as reprogramming a hard drive is a very complex process.

"Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor's internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment," Malenkovich wrote.

He also wrote that firmware development cannot be scaled easily, as hard drive vendors release firmware for multiple drives each month for new models of drives continually being introduced.

"Don't rush to find your screwdriver -- we don't expect this ultimate infection ability to become mainstream," he wrote.

It remains to be seen whether the hard drive firmware modification might some day be duplicated on a widespread scale, or whether certain organizations will find ways to selectively use it for their own purposes. But a Pandora's Box has been opened, letting the world know that such a capability exists.

This article originally appeared as an exclusive on the CRN Tech News App for iOS and Windows 8.