Spyware Embedded by U.S. in Foreign Networks, Security Firm Says
By NICOLE PERLROTH and DAVID E. SANGER February 17, 2015
美國被指在敵國電腦永久性植入監控軟件
NICOLE PERLROTH, DAVID E. SANGER 2015年02月17日
SAN FRANCISCO — The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm.
舊金山——俄羅斯網絡安全公司表示,美國已經找到了一種方法,可以把監視和破壞工具永久性地嵌入在伊朗、俄羅斯、巴基斯坦、中國、阿富汗和其他美國情報機構密切關注的國家的目標計算機和網絡中。
In a presentation of its findings at a conference in Mexico on Monday,
Kaspersky Lab, the Russian firm, said that the implants had been placed by what it called the “Equation Group,” which appears to be a veiled reference to the National Security Agency and its military counterpart, United States Cyber Command.
周一,俄羅斯公司卡巴斯基實驗室(
Kaspersky Lab)在墨西哥的一次會議上介紹其調查結果稱,這些工具由它所謂的「方程組」(Equation Group)植入,這裡似乎是暗指國家安全局(National Security Agency)及其對應的軍事機構網絡戰司令部(United States Cyber Command)。
It linked the techniques to those used in
Stuxnet, the computer worm that disabled about 1,000 centrifuges in Iran’s nuclear enrichment program. It was later revealed that Stuxnet was part of a program code-named Olympic Games and run jointly by Israel and the United States.
它認為,這些技術與破壞伊朗核濃縮項目大約1000台離心機的計算機蠕蟲病毒
Stuxnet中所使用的技術有關。後來發現,Stuxnet病毒是一個代號「奧運會」(Olympic Games)的項目的一部分,由以色列和美國共同進行。
Sergei Karpukhin/Reuters
卡巴斯基實驗室的莫斯科總部。該公司稱,美國在外國網絡中永久性地植入了監控工具。
Kaspersky’s report said that Olympic Games had similarities to a much broader effort to infect computers well beyond those in Iran. It detected particularly high infection rates in computers in Iran, Pakistan and Russia, three countries whose nuclear programs the United States routinely monitors.
卡巴斯基的報告稱,「奧運會」與感染伊朗以外計算機的更大規模行動具有相似之處。它在伊朗、巴基斯坦和俄羅斯的計算機中檢測到了特別高的感染率,這三個國家的核項目向來在美國監控之下。
Some of the implants burrow so deep into the computer systems, Kaspersky said, that they infect the “firmware,” the embedded software that preps the computer’s hardware before the operating system starts. It is beyond the reach of existing antivirus products and most security controls, Kaspersky reported, making it virtually impossible to wipe out.
卡巴斯基表示,有些植入程序在電腦系統中隱藏得非常之深,甚至感染了「固件」,這種嵌入式軟件負責在操作系統啟動前準備好電腦的硬件。卡巴斯基報道稱,它已經超出了現有殺毒產品和大多數安全控制手段的能力範疇,所以幾乎不可能清除。
In many cases, it also allows the American intelligence agencies to grab the encryption keys off a machine, unnoticed, and unlock scrambled contents. Moreover, many of the tools are designed to run on computers that are disconnected from the Internet, which was the case in the computers controlling Iran’s nuclear enrichment plants.
在很多情況下,它還能讓美國情報機構無聲無息地從一台機器上獲取密鑰,然後解密加密內容。此外,許多工具都是為了在不與互聯網連接的電腦上運行而設計的,控制伊朗核濃縮工廠的計算機就是這種情況。
Kaspersky noted that of the more than 60 attack groups it was tracking in cyberspace, the so-called Equation Group “surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades.”
卡巴斯基指出,在它在網絡空間跟蹤的60多個攻擊群體中,所謂的方程組「在複雜性和成熟度方面超過了所有已知技術,而且它已經啟用了將近20年」。
Kaspersky Lab was founded by Eugene Kaspersky, who studied cryptography at a high school co-sponsored by the K.G.B. and once worked for the Russian military. Its studies, including one describing a cyberattack of more than 100 banks and other financial institutions in 30 countries, are considered credible by Western experts.
卡巴斯基實驗室由尤金·卡巴斯基(Eugene Kaspersky)創立,他曾在由克格勃(KGB)聯合主辦的一所學校學習密碼學,還曾為俄羅斯軍方工作。西方專家認為,實驗室的研究具有可信性。在其中一項研究中,實驗室發現30個國家的100多家銀行和其他金融機構受到了網絡襲擊。
The fact that security software made by Kaspersky Lab is not used by many American government agencies has made it more trusted by other governments, like those of Iran and Russia, whose systems are closely watched by United States intelligence agencies. That gives Kaspersky a front-row seat to America's digital espionage operations.
許多美國政府機構都是不使用卡巴斯基實驗室製作的安全軟件的,因此,它也更受伊朗和俄羅斯等其他國家的政府信賴。這些國家的系統都在被美國情報機構密切監視。所以,卡巴斯基也得以在第一線監視美國的數字間諜活動。
The firm’s researchers say that what makes these attacks particularly remarkable is their way of attacking the actual firmware of the computers. Only in rare cases are cybercriminals able to get into the actual guts of a machine.
公司的研究人員稱,這些襲擊之所以尤其引人注意,是因為它們會襲擊計算機實際固件的方式。網絡犯罪分子很少能進入一台機器的實體內部。
Recovering from a cyberattack typically involves wiping the computer’s operating system and reinstalling software, or replacing a computer’s hard drive. But if the firmware gets infected, security experts say, it can turn even the most sophisticated computer into a useless piece of metal.
恢復受到網絡攻擊的電腦通常需要清理計算機的操作系統和重新安裝軟件,或者更換計算機的硬盤驅動器。但安全專家說,倘若固件受到感染,最精密的計算機可能也會變成一堆廢鐵。
In the past, security experts have warned about “the race to the bare metal” of a machine. As security around software has increased, criminals have looked for ways to infect the actual hardware of the machine. Firmware is about the closest to the bare metal you can get — a coveted position that allows the attacker not only to hide from antivirus products but also to reinfect a machine even if its hard drive is wiped.
安全專家過去就警告過要注意感染電腦「裸機的競賽」。隨着軟件安全的升級,犯罪分子已開始尋找感染電腦實際硬件的途徑。能攻擊到固件,幾乎可以說已經無限接近對裸機的攻擊——這是一種夢寐以求的態勢,不僅能讓攻擊者避開反病毒產品,還能在硬盤數據被抹掉後再次感染電腦。
“If the malware gets into the firmware, it is able to resurrect itself forever,” Costin Raiu, a Kaspersky threat researcher, said in the report. “It means that we are practically blind and cannot detect hard drives that have been infected with this malware.”
「如果惡意軟件進入固件,它永遠都能自行復活,」卡巴斯基的威脅研究人員科斯廷·拉尤(Costin Raiu)在報告中說。「這意味着我們實際上就瞎了,無法檢測到感染了這種惡意軟件的硬盤。」
The possibility of such an attack is one that math researchers at the
National Institute of Standards and Technology, a branch of the Commerce Department, have long cautioned about but have very rarely seen. In an interview last year, Andrew Regenscheid, a math researcher at the institute, warned that such attacks were extremely powerful. If the firmware gets corrupted, Mr. Regenscheid said, “your computer won’t boot up and you can’t use it. You have to replace the computer to recover from that attack.”
隸屬於商務部(Commerce Department)的國家標準與技術研究院(
National Institute of Standards and Technology)的數學研究人員多年來一直在發出警告,稱存在遭遇這種攻擊的可能性,但很少能實際見到它的發生。去年接受採訪時,該研究院的數學研究人員安德魯·雷根沙伊德(Andrew Regenscheid)警告稱,這類攻擊極其有力。雷根沙伊德表示,如果固件被感染了,「電腦就無法啟動和使用。不得不換電腦才能從攻擊中恢復過來。」
That kind of attack also makes for a powerful encryption-cracking tool, Mr. Raiu noted, because it gives attackers the ability to capture a machine’s encryption password, store it in “an invisible area inside the computer’s hard drive” and unscramble a machine’s contents.
拉尤指出,這種攻擊也會成為一種強大的加密破解手段,因為它讓攻擊者能夠獲取電腦的加密秘鑰,將其存儲在「電腦硬盤裡一個看不見的區域」並譯出電腦里的內容。
Kaspersky’s report also detailed the group’s efforts to map out so-called air-gapped systems that are not connected to the Internet, including Iran’s nuclear enrichment facilities, and infect them using a USB stick. To get those devices onto the machines, the report said, the attackers have in some cases intercepted them in transit.
卡巴斯基的報告還詳細介紹了方程組為了繪製伊朗核濃縮設施等不與互聯網連接的所謂物理隔離系統的結構圖,並用U盤感染它們而展開的活動。報告稱,為了讓這些裝置進入電腦,攻擊者在部分情況下會在傳輸過程中對其進行攔截。
Documents revealed by the former National Security Agency contractor Edward J. Snowden detailed the agency’s plans to leap the “air gaps” that separate computers from the outside world, including efforts to install specialized hardware on computers being shipped to a target country. That hardware can then receive low-frequency radio waves broadcast from a suitcase-size device that the N.S.A. has deployed around the world. At other times the air gaps have been leapt by having a spy physically install use a USB stick to infect the adversary's computer.
前國家安全局承包商僱員愛德華·J·斯諾登(Edward J. Snowden)泄密的文件,詳細記述了國家安全局為跨越將電腦同外部世界隔離開的「物理距離」而展開計劃,包括在運往目標國家的電腦上安裝專業硬件等活動。這種硬件能接收NSA部署在世界各地的一種手提箱大小的設備發出的低頻無線電波。有的時候則直接跨過隔離帶,通過讓間諜使用U盤的方式,直接安裝到敵方的電腦里。
Basing its estimate on the time stamps in code, the Kaspersky presentation said, the Equation Group had been infecting computers since 2001, but aggressively began ramping up their capabilities in 2008, the year that President Obama was elected, and began doubling down on digital tools to spy on adversaries of America.
基於對編碼中的時間標識的估計,卡巴斯基的介紹稱方程組從2001年開始就一直在感染電腦,但在奧巴馬總統當選的2008年,該機構的實力開始大幅提升,並在暗中監視美國的敵人的數字手段上加大投入。
While the United States has never acknowledged conducting any offensive cyberoperations, President Obama discussed the issue in general in an
interview on Friday with Re/code, an online computer industry publication, describing offensive cyberweapons as being unlike traditional weapons.
儘管美國從未承認進行過任何進攻性的網絡行動,但周五接受在線計算機行業出版物Re/code的採訪時,奧巴馬總統泛泛地討論了這個問題,稱攻擊性網絡武器不同於傳統武器。
“This is more like basketball than football, in the sense that there’s no clear line between offense and defense,” said Mr. Obama, himself a basketball player. “Things are going back and forth all the time.”
「從進攻和防守之間沒有明確的界線這一點來說,這更像籃球而非足球,」本身就喜歡打籃球的奧巴馬說。「它是不停地在你來我往的。」
Copyright © 2013 The New York Times Company. All rights reserved.
翻譯:陳柳、陳亦亭