Spyware Embedded by U.S. in Foreign Networks, Security Firm Says
Spyware Embedded by U.S. in Foreign Networks, Security Firm Says
By NICOLE PERLROTH and DAVID E. SANGER February 17, 2015
NICOLE PERLROTH, DAVID E. SANGER 2015年02月17日
SAN FRANCISCO — The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm.
In a presentation of its findings at a conference in Mexico on Monday, Kaspersky Lab, the Russian firm, said that the implants had been placed by what it called the “Equation Group,” which appears to be a veiled reference to the National Security Agency and its military counterpart, United States Cyber Command.
周一，俄羅斯公司卡巴斯基實驗室(Kaspersky Lab)在墨西哥的一次會議上介紹其調查結果稱，這些工具由它所謂的「方程組」(Equation Group)植入，這裡似乎是暗指國家安全局(National Security Agency)及其對應的軍事機構網絡戰司令部(United States Cyber Command)。
It linked the techniques to those used in Stuxnet, the computer worm that disabled about 1,000 centrifuges in Iran’s nuclear enrichment program. It was later revealed that Stuxnet was part of a program code-named Olympic Games and run jointly by Israel and the United States.
Kaspersky’s report said that Olympic Games had similarities to a much broader effort to infect computers well beyond those in Iran. It detected particularly high infection rates in computers in Iran, Pakistan and Russia, three countries whose nuclear programs the United States routinely monitors.
Some of the implants burrow so deep into the computer systems, Kaspersky said, that they infect the “firmware,” the embedded software that preps the computer’s hardware before the operating system starts. It is beyond the reach of existing antivirus products and most security controls, Kaspersky reported, making it virtually impossible to wipe out.
In many cases, it also allows the American intelligence agencies to grab the encryption keys off a machine, unnoticed, and unlock scrambled contents. Moreover, many of the tools are designed to run on computers that are disconnected from the Internet, which was the case in the computers controlling Iran’s nuclear enrichment plants.
Kaspersky noted that of the more than 60 attack groups it was tracking in cyberspace, the so-called Equation Group “surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades.”
Kaspersky Lab was founded by Eugene Kaspersky, who studied cryptography at a high school co-sponsored by the K.G.B. and once worked for the Russian military. Its studies, including one describing a cyberattack of more than 100 banks and other financial institutions in 30 countries, are considered credible by Western experts.
The fact that security software made by Kaspersky Lab is not used by many American government agencies has made it more trusted by other governments, like those of Iran and Russia, whose systems are closely watched by United States intelligence agencies. That gives Kaspersky a front-row seat to America's digital espionage operations.
The firm’s researchers say that what makes these attacks particularly remarkable is their way of attacking the actual firmware of the computers. Only in rare cases are cybercriminals able to get into the actual guts of a machine.
Recovering from a cyberattack typically involves wiping the computer’s operating system and reinstalling software, or replacing a computer’s hard drive. But if the firmware gets infected, security experts say, it can turn even the most sophisticated computer into a useless piece of metal.
In the past, security experts have warned about “the race to the bare metal” of a machine. As security around software has increased, criminals have looked for ways to infect the actual hardware of the machine. Firmware is about the closest to the bare metal you can get — a coveted position that allows the attacker not only to hide from antivirus products but also to reinfect a machine even if its hard drive is wiped.
“If the malware gets into the firmware, it is able to resurrect itself forever,” Costin Raiu, a Kaspersky threat researcher, said in the report. “It means that we are practically blind and cannot detect hard drives that have been infected with this malware.”
The possibility of such an attack is one that math researchers at the National Institute of Standards and Technology, a branch of the Commerce Department, have long cautioned about but have very rarely seen. In an interview last year, Andrew Regenscheid, a math researcher at the institute, warned that such attacks were extremely powerful. If the firmware gets corrupted, Mr. Regenscheid said, “your computer won’t boot up and you can’t use it. You have to replace the computer to recover from that attack.”
隸屬於商務部(Commerce Department)的國家標準與技術研究院(National Institute of Standards and Technology)的數學研究人員多年來一直在發出警告，稱存在遭遇這種攻擊的可能性，但很少能實際見到它的發生。去年接受採訪時，該研究院的數學研究人員安德魯·雷根沙伊德(Andrew Regenscheid)警告稱，這類攻擊極其有力。雷根沙伊德表示，如果固件被感染了，「電腦就無法啟動和使用。不得不換電腦才能從攻擊中恢復過來。」
That kind of attack also makes for a powerful encryption-cracking tool, Mr. Raiu noted, because it gives attackers the ability to capture a machine’s encryption password, store it in “an invisible area inside the computer’s hard drive” and unscramble a machine’s contents.
Kaspersky’s report also detailed the group’s efforts to map out so-called air-gapped systems that are not connected to the Internet, including Iran’s nuclear enrichment facilities, and infect them using a USB stick. To get those devices onto the machines, the report said, the attackers have in some cases intercepted them in transit.
Documents revealed by the former National Security Agency contractor Edward J. Snowden detailed the agency’s plans to leap the “air gaps” that separate computers from the outside world, including efforts to install specialized hardware on computers being shipped to a target country. That hardware can then receive low-frequency radio waves broadcast from a suitcase-size device that the N.S.A. has deployed around the world. At other times the air gaps have been leapt by having a spy physically install use a USB stick to infect the adversary's computer.
前國家安全局承包商僱員愛德華·J·斯諾登(Edward J. Snowden)泄密的文件，詳細記述了國家安全局為跨越將電腦同外部世界隔離開的「物理距離」而展開計劃，包括在運往目標國家的電腦上安裝專業硬件等活動。這種硬件能接收NSA部署在世界各地的一種手提箱大小的設備發出的低頻無線電波。有的時候則直接跨過隔離帶，通過讓間諜使用U盤的方式，直接安裝到敵方的電腦里。
Basing its estimate on the time stamps in code, the Kaspersky presentation said, the Equation Group had been infecting computers since 2001, but aggressively began ramping up their capabilities in 2008, the year that President Obama was elected, and began doubling down on digital tools to spy on adversaries of America.
While the United States has never acknowledged conducting any offensive cyberoperations, President Obama discussed the issue in general in an interview on Friday with Re/code, an online computer industry publication, describing offensive cyberweapons as being unlike traditional weapons.
“This is more like basketball than football, in the sense that there’s no clear line between offense and defense,” said Mr. Obama, himself a basketball player. “Things are going back and forth all the time.”
Copyright © 2013 The New York Times Company. All rights reserved.