卡巴斯基發現一個在硬碟韌體中植入惡意程式的駭客組織,並推測該組織跟美國國家安全局(NSA)有關係。

Intro

The team of malicious actors is dubbed the the "Equation Group" by researchers from Moscow-based Kaspersky Lab, and describes them as "probably one of the most sophisticated cyber attack groups in the world," and "the most advanced threat actor we have seen."

這個被稱作是 Equation Group 的駭客組織,
被卡巴斯基位於莫斯科的研究人員認為
可能是目前使用最複雜的網路攻擊手法且最具威脅性的駭客組織之一。

Russian security experts reportedly uncovered state-created spyware hidden in the hard drive firmware of more than dozen of the largest manufacturers brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi.
These infected hard drives would have given the cyber criminals persistence on victims' computers and allowed them to set up secret data stores on the machines, which is only accessible to the malicious hackers.

許多硬碟大廠生產的硬碟都中標了,
包括 Samsung, WD, Seagate, Maxtor, Toshiba, Hitachi。
這些受到感染的硬碟將會允許駭客植入隱藏的且只有駭客能存取的資料。
(這不是幾乎所有硬碟都別用了嗎...?)

One of the most sophisticated features of these notorious piece of hacking tools is the ability to infect not just the files stored on a hard drive, but also the firmware controlling the hard drive itself. The malware is hidden deep within hard drives in such a way that it is difficult to detect or remove it.

不僅可以感染硬碟上的檔案,更嚴重的是可以感染控制硬碟的韌體,導致非常難偵測和移除。

If present, once the victim insert that infected storage (such as a CD or USB drive) into an internet-connected PC, the malicious code allows hackers to snoop victims' data and map their networks that would otherwise be inaccessible.

被感染的 CD 或 USB 插入連網的電腦的話,
將會導致駭客可以窺探受害者的資料並對應出使用者在網路上的位置。

Such an exploit could survive a complete hard drive wipe, or the re-installation of an operating system, and "exceeds anything we have ever seen before,"

格式化硬碟或重灌作業系統都無法清除此惡意程式,
超越了至今為止我們所見過的惡意程式。

The firm recovered two modules belonging to Equation group, dubbed EquationDrug and GrayFish. Both were used to reprogram hard drives to give the malicious hackers ability to persistently control over a target machine.

此惡意程式包含了 EquationDrug 和 GrayFish 兩個模組,
兩者皆是用來對硬碟進行重新程式化,
駭客藉此得以對受害者的電腦進行持續性的控制。

GrayFish can install itself into computer's boot record — a software code that loads before the operating system itself — and stores all of its data inside a portion of the operating system known as the registry, where configuration data is normally stored.

GrayFish 可以將自身安裝進電腦的 Boot Record 中,
並將自身的資料儲存在作業系統的 Registry 中。

EquationDrug, on the other hand, was designed to be used on older versions of Windows operating systems, and "some of the plugins were designed originally for use on Windows 95/98/ME" — very old versions of Windows OS that they offer a good indication of the Equation Group's age.

EquationDrug 則是被設計來用於早期的 Windows 作業系統中,
裡頭一些套件甚至是被設計用於 Windows 95/98/Me 上,
這也顯示了 Equation Group 這個組織存在了一段不短的時間了。

Security researchers are calling the malware as the "ancestor" of Stuxnet and Flame, the most sophisticated and powerful threats that were specially designed to spy and sabotage ICS and SCADA systems.

資安研究者將此惡意程式視為 Stuxnet 和 Flame 這兩個惡意程式的原型。

Kaspersky declined to publicly name the country or agency behind the spying campaign, but said it was closely linked to Stuxnet — the NSA-led cyberweapon that was used to sabotage the Iran's uranium enrichment facility.

卡巴斯基並未言明 Equation Group 幕後的支持者是誰,
但表示和 Stuxnet (NSA 用來攻擊伊朗核電廠的工具) 有密切關聯。

Another reason is that most of the infections discovered by the Moscow-based security firm have occurred in countries that are frequently US spying targets, such as China, Iran, Pakistan and Russia.

另外一個懷疑的原因則是,
受害事件發生的國家幾乎都是美國監視的國家,
如:中國、伊朗、巴基斯坦、俄羅斯。

For its part, the NSA declined to comment on the report.

NSA 目前拒絕對此做出任何回應。

References


Share


Donation

如果覺得這篇文章對你有幫助, 除了留言讓我知道外, 或許也可以考慮請我喝杯咖啡, 不論金額多寡我都會非常感激且能鼓勵我繼續寫出對你有幫助的文章。

If this blog post happens to be helpful to you, besides of leaving a reply, you may consider buy me a cup of coffee to support me. It would help me write more articles helpful to you in the future and I would really appreciate it.


Related Posts