A new report from security software provider Kaspersky Lab has found that a group they’ve dubbed “Equation Group” has been hiding spying software deep within hard drives made by leading manufacturers including Seagate and Western Digital, in an attempt to eavesdrop on the majority of computers worldwide.

Kaspersky said it found the spyware in computers across 30 countries, with the list reading like a geopolitical wet dream of countries the United States either doesn’t like, or is highly competitive with; Iran had the highest number of infections, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists.

The report explained that the advantage of burying the spyware on a hard drive is in providing an level of persistence that helps to survive disk formatting and OS reinstallation; Kaspersky notes that if the malware gets into the firmware, it is available to “resurrect” itself forever.

Director of the Global Research and Analysis Team at Kaspersky Costin Raiu added that “another dangerous thing is that once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware. To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware.

Where hard drives weren’t already affected, Kaspersky claims that the attackers used other methods to infect targets; not only the internet, but also in the physical world.

The group is claimed to have intercepted physical goods and replaced them with Trojanized versions, and in one example participants of a scientific conference were sent conference materials on a CD-ROM which was then used to install the group’s DoubleFantasy implant into the target’s machine.

Kaspersky said that it had observed seven exploits used by Equation Group in their malware with at least four being zero-day attacks. At least one unknown exploit was observed that specifically attacked the Tor browser.

Kaspersky declined to name the country behind the spying campaign but said Equation Group was linked to Stuxnet, a National Security Administration (NSA) tool that was used to attack Iran’s nuclear program;  it’s a fair guess that this link implies that Equation Group is a section of the NSA itself, which means that the spyware is being placed by the Government of the United States of America.

photo credit: Hardware Porn 21 of 23 via photopin (license)