1.Background

February 18, 2015, based on an urgent assessment, Antiy began preliminary analysis and verification of the attack components used by the attack group referred to by competitors as “Equation”. A cross-departmental joint analysis team was formally established on February 25, and the first version of this report was completed on March 4.

The relevant background of the incident is as follows: Kaspersky Lab released a series of reports (hereinafter referred to as the “Competitor Report”) starting on February 16, disclosing what may be the most complex cyber attack organization in the world at present – the “Equation Group”[1]. According to Kaspersky Lab, the C&C used by the organization was registered as early as 1996, which suggests that the organization may have been active for 20 years. For many years, they have had an absolute advantage because they can always discover vulnerabilities earlier than other organizations. The organization has a super standard information arsenal for implanting malicious code ( six of which were disclosed in the Competitor Report ), including two malicious modules that can reprogram the firmware of dozens of common brands of hard drives. This may be the most distinctive attack weapon in the organization’s possession, and it is also the first known malicious code that can infect hard drive firmware. In the Competitor Reports on February 17 and February 19, detailed analysis results of two of the modules were released one after another. They are Fanny[2] and DoubleFantasy[3]. Based on relevant clues, Kaspersky believes that the targets of the attack include countries such as Russia, India, and China. According to Kaspersky’s report, some media outlets have inferred that the attack group may be linked to US intelligence agencies.

Given the complexity of the samples and the unique characteristics of the attacked hard drive firmware, the analysis has progressed extremely slowly. Currently, we are sharing limited analysis work to encourage greater collaboration within the industry. Furthermore, this report does not repeat or cite content already thoroughly discussed in competitor reports. Therefore, readers are advised to read competitor reports first before reading this report to provide feedback and suggestions.

2.Components Used by Equation Organization

The Equation group’s discovered arsenal includes at least six “tools”: EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny, and GrayFish. Antiy engineers refer to these as “components”. In addition to these six components, competitor reports also provide hashes of other malware programs the group may use. These hashes correspond to programs including: EQUESTRE (similar to EquationDrug), the GROK keylogger, the DoubleFantasy installer, the LNK exploit _SD_IP_CF.dll, and the module nls_933w.dll, which can reprogram hard drives and warrants particular attention.

Component Name	Illustrate	Time
EquationLaser	The implant used by the Equation organization in its early days, approximately between 2001 and 2004, is compatible with Windows 95/98.	2001-2003
EquationDrug	The group used a highly sophisticated attack component to support a module plugin system that could be dynamically uploaded and uninstalled by attackers. It is suspected to be an upgraded version of EquationLaser.	2003-2013
DoubleFantasy	A verification Trojan designed to identify the target as the intended target. If the target is confirmed, the implanted malicious code will escalate to a more sophisticated platform, such as EQUATIONDRUG or GRAYFISH.	2004-2012
TripleFantasy	A full-featured backdoor, sometimes used in conjunction with GRAYFISH. It appears to be an upgraded version of DOUBLEFANTASY, possibly a newer verification plugin.	2012-present
Fanny	Created in 2008, Fanny was a worm that spread via USB devices, attacking physically isolated networks and transmitting collected information back to the attackers. It was used to gather information on targets in the Middle East and Asia. Some victim hosts appeared to have been upgraded to DoubleFantasy, and then to EQUATIONDRUG. Fanny exploited two zero-day vulnerabilities that were later applied to Stuxnet.	2008-2011
GrayFish	The Equation group resides entirely in the registry and relies on a bootkit to execute when the operating system starts.	2008-present

Diagram illustrating the attack involving the six components of the Equation group:

Figure 1 Component Relationship Diagram

When launching an attack, Equation selects Fanny, DoubleFantasy, or TripleFantasy as the attack precursor. Once it is confirmed that the target is the attacker’s intended target, more complex components such as EquationDrug or GrayFish will be used.

Antiy’s analysis team is currently focusing on the attack pre-launch component (DoubleFantasy) and more complex components (EquationDrug and GrayFish). They are also analyzing nls_933w.dll, which has hard drive firmware reprogramming capabilities.

3. DoubleFantasy Component Analysis

DoubleFantasy component is used to identify the target of the attack. If the target belongs to an area of interest or concern to the Equation organization, then more complex additional components will be injected into the attacked machine from a remote location.

The competitor’s report has already conducted a detailed analysis of the DoubleFantasy component. Antiy’s analysis team originally planned to analyze and verify the DoubleFantasy component, but during the verification process, the analysis team found that the component had been analyzed before and found other related malicious code; at the same time, Antiy also discovered information that was not disclosed in the competitor’s report.

3.1 Security Software Detection

DoubleFantasy component enumerates registry keys to check if security software is installed on the system. The list of security software is stored in the resource section and encrypted using 0x79 XOR. A competitor’s report listed 10 types of security software it detected. However, the Antiy analysis team discovered that the component actually detects the presence of 13 types of security software, including products from 360, BitDefender, and Avira, in addition to the 10 products disclosed in the competitor’s report.

Given that the majority of 360 Security Guard’s users are in China, this further confirms that China is also one of the targets of the Equation group’s attacks.

3.2 Return Information

DoubleFantasy collects system information and sends it back to the attacker in the following format:

000: MAC address; 001 : IP address ; … 019: Current time

The detailed information returned is as follows:

Label	Illustrate	Label	Illustrate	Label	Illustrate
000	MAC address	007	System patch information (CSDVersion, e.g., SP1)	014	Network connection type
001	IP address	008	CurrentBuildNumber (e.g., 2600)	015	Installed software information
002	Sample version number	009	System CurrentVersion (5.1)	016	Unknown
003	Sample ID	010	ProductID	017	This value does not exist.
004	Proxy settings information	011	Location Information 1	018	32-bit or 64-bit
005	Registration Information 1 (RegisteredOwner)	012	Location Information 2	019	Current time
006	Registration Information 2 (RegisteredOrganization)	013	System Directory

3.3 Communication Protocol

DoubleFantasy returns packets with the first byte unencrypted, followed by encrypted data. For example, the 0x42 instruction is as follows:

Detailed Functionality of Instruction Branch 0x42

       Functions: Reconnect to the network, initialize communication keys, delete itself, and clean up infection traces.

       Control terminal packet format : The first byte is the instruction code 0x42, and the second byte is the instruction branch, which has 3 types: 00 Reconnect immediately, 01 Initialize communication key, Reconnect after Sleeping for 60 seconds, 02 Delete itself and clear infection traces.

       The controlled end returns a packet in the following format : None.

3.4 New Version, C&C, Key

The competitor’s report provided the versions, C&C lists, and keys of the relevant components. Antiy further analyzed this information and obtained even more relevant details. In the following text, green indicates information from the competitor’s report, and red (bold) indicates new information discovered by Antiy.

Version List:

8.1.0.4 (MSREGSTR.EXE)

008.002.000.006

008.002.001.001

008.002.001.004

008.002.001.04A (subversion “IMIL3.4.0-IMB1.8.0”)

008.002.002.000

008.002.003.000

008.002.004.000

008.002.005.000

008.002.005.001

008.002.006.000

011.000.001.001

012.001.000.000

012.001.001.000

012.002.000.001

012.003.001.000

012.003.004.000

012.003.004.001

013.000.000.000

 C&C as follows:

advancing-technology[.]com
avidnewssource[.]com
businessdealsblog[.]com
businessedgeadvance[.]com
charging-technology[.]com
computertechanalysis[.]com
config.getmyip[.]com – SINKHOLED BY KASPERSKY LAB
newsterminalvelocity[.]com
– SINKHOLED BY KASPERSKY LAB globalnetworkanalys
[.]com melding-technology[.]com myhousetechnews
[.]com – SINKHOLED BY KASPERSKY LAB
selective-business[.]com
slayinglance[.]com
successful-marketing-now[.]com – SINKHOLED BY KASPERSKY LAB
taking-technology[.]com
techasiamusicsvr[.]com – SINKHOLED BY KASPERSKY LAB
technicaldigitalreporting[.]com
timelywebsitehostesses[.]com
www.dt1blog[.]com
www.forboringbusinesses[.]com

Ign***list.com

Dat***cemgmt.net

Imp***today.com

Bud***nessnews.com

New Key:

37 08 EF 89 29 A7 4B 6B AB 3E 5D 03 F6 B0 B5 B3

66 39 71 3C 0F 85 99 81 20 19 35 43 FE 9A 84 11

8B 4C 25 04 56 85 C9 75 06 33 C0 5E C2 08 31 F6

32 EC 89 D8 0A 78 47 22 BD 58 2B A9 7F 12 AB 0C

DoubleFantasy component is typically the first step in infecting victims by the Equation group, confirming their information through communication with the backdoor and checks of various system parameters. Once the victim is confirmed, the Equation group will use more sophisticated components such as EquationDrug or Grayfish.

4.Component EquationDrug Analysis

EquationDrug component is a complex module. It existed for nearly 10 years before being replaced by an upgraded GrayFish. Antiy’s analysis revealed some identical file names between the two modules, and they also shared similar obfuscation and encryption techniques. Both modules decrypt, decompress, and extract files from resources. The analysis found a SYS file and a VXD file within the resources. VXD is a driver mechanism under Windows 9x, suggesting that this module also has the capability to infect Windows 9x systems. EquationDrug is a plugin platform with plugin installation and uninstallation capabilities.

Figure 2 Diagram of the Creation and Invocation Relationships for the EquationDrug Component

Module Name	Function
msnadt.exe	The file functions mainly include releasing files, decrypting resources, determining system type, injecting code into a specified process, and loading drivers.
MSDIRECTX.EXE	Create INSTV3.BAT and run it to self-delete.
MSCFG32.exe	Load MSCFG32.DLL and add and modify the registry.
MSCFG32.DLL	This file adds to and modifies the registry, and releases the unity.dll file. It is related to driver files and contains network functionality.
unity.dll	There are a lot of file operations and registry operations.
MSNDSRV.SYS MSSVC32.VXD	The functions are basically the same, but VXD is used under Windows 9.x, and its main functions are hooking, network monitoring, and writing files. It will also check if MSlog32.dat exists in the system ; if it does, it will open it and write data; otherwise, it will create a new one.
INSTV3.BAT INSTV4.BAT	Self-deleting files.

4.1 Security Software Detection

It enumerates registry keys to find out if security software is installed on the system, and the list of security software is stored in the resource section.

It detects more and more diverse security software than the DoubleFantasy component, but it only detects Rising, a Chinese security software, and not the more popular 360. This verifies the earlier conclusion that this component has been replaced by an updated one. The relevant registry keys detected are as follows:

Zone Labs\TrueVector\

Zone Labs\ZoneAlarm\

KasperskyLab\

Network Ice\BlackIce\

Agnitum\Outpost Firewall\

Sygate Technologies, Inc.\Sygate Personal Firewall\

Norman\

Data Fellows\F-Secure\

PWI, Inc.

rising\

Softwin\

network associates\tvd\shared components\on access scanner\behaviourblocking\FileBlockEnabled_27!=0

network associates\tvd\shared components\on access scanner\behaviourblocking\FileBlockEnabled_28!=0

network associates\tvd\shared components\on access scanner\behaviourblocking\FileBlockEnabled_29!=0

network associates\tvd\shared components\on access scanner\behaviourblocking\FileBlockEnabled_30!=0

McAfee\ePolicy Orchestrator\Application Plugins\VIRUSCAN8600

Sophos\

CA\CAPF\

CA\HIPSEngine\

Cisco\

Symantec\IDS\

Symantec\Norton 360\

Symantec\Internet Security\SuiteOwnerGuid\

Symantec\Norton AntiBot\

Symantec\Symantec Endpoint Protection\

Tiny Software\Tiny Firewall\

CyberMedia Inc\Guard Dog\

McAfee\Guard Dog\

McAfee Firewall

McAfee\Personal Firewall\

McAfee.com\Personal Firewall\

Network Associates\McAfee Fire\

Kerio\

BullGuard Ltd.\BullGuard\

The Greenbow\

Panda Software\Firewall\

TrendMicro\PC-cillin\

ComputerAssociates\eTrust Suite Personal\pfw\

Grisoft\Firewall\

4.2 Analysis of the Driver Module MSNDSRV.SYS

1.During driver initialization, all network cards are traversed from the registry, and then the function `NdisRegisterProtocol` is called to register an NDIS protocol-related structure with the NDIS library. After registration, the driver can receive all network traffic on the local machine, similar to the packet capture mechanism of WinPcap. The relevant code is as follows:

2.The addresses of functions in KeServiceDescriptorTable have been modified.

Figure 3 Function Addresses in the Original KeServiceDescriptorTable

Figure 4 Function Addresses in the Modified KeServiceDescriptorTable

The modified function address only contains a JMP instruction. If the function in KeServiceDescriptorTable is not the target it wants to hook, it jumps directly back to the address of the original function; otherwise, it jumps to the function that drives itself.

For example, the address of the function nt!NtAcceptConnectPort in KeServiceDescriptorTable is 820742b1.

The instructions here are as follows:  

820742b1 2eff25b8420782 jmp dword ptr cs:[820742B8h]

820742B8 is the address corresponding to NtAcceptConnectPort. The function NtTerminateProcess has an address of 0x81cf9ebd in KeServiceDescriptorTable. The instruction at that location is:

81cf9ebd 2eff25c49ecf81 jmp dword ptr cs:[81CF9EC4h]

b1fd6eae contained in 81CF9EC4 points to a function in the driver. Currently, the functions hooked by the driver are as follows:

NtClose

NtCreateFile

NtCreateKey

NtCreateProcess

NtCreateProcessEx

NtCreateThread

NtEnumerateKey

NtOpenFile

NtOpenKey

NtOpenProcess

NtQueryAttributesFile

NtQueryDirectoryFile

NtQueryDirectoryObject

NtQueryFullAttributesFile

NtQueryKey

NtQuerySystemInformation

NtSetInformationFile

NtTerminateProcess

5.GrayFish Component Analysis

GrayFish is the most sophisticated attack component in the Equation group, a new generation version of EquationDrug. The Antiy analysis team believes that its most important feature is that it does not rely on a file carrier, but exists completely in the registry. It relies on a bootkit to execute when the operating system starts. This mechanism penetrates the security products’ file-based detection mechanism, as well as related whitelist-based and trusted computing solutions.

GrayFish component contains 13 encrypted resources, all of which are decrypted using the same decryption algorithm:

The decrypted 13 files contain 5 driver files (sys), 2 dynamic link library files (dll), 4 files containing registry data, 1 configuration file containing the string “services.exe”, and 1 encrypted data file.

Dynamic debugging revealed that three driver files — hrilib.sys, msndsrv.sys, and netvt.sys— were released from the original sample and contain network driver and registry-related operation functions. mscfg32_ks.dll calls mscfg32.dll and has functions such as creating remote threads, obtaining system information, and creating and deleting registry keys. In addition to the three released driver files, resource 102 contains functions for registry operations, while DesertWinterDriver.sys contains a comparison of IoControlCode ; its specific functionality requires further analysis.

In addition, the original sample generates a batch file to delete itself. The filename of this batch file is exactly the same as the filename used by EquationDrug for self-deletion, which also shows that there is a close relationship between the two.

6.Analysis of the Hard Drive Firmware Reprogramming Module nls_933w.dll

nls_933w.dll is a module with hard drive firmware reprogramming capabilities. Because hard drive firmware is an area where the Antiy analysis team previously lacked expertise, the analysis progressed very slowly. Current analysis suggests that when the nls_933w.dll module is called by other programs, it releases the win32m.sys driver file from its own resources. The win32m.sys driver file is responsible for communicating with the hard drive controller. It can determine the hard drive controller type, such as IDE or SATA, and send corresponding control commands based on the controller type. Therefore, if an attacker is familiar with the ATA commands specified by various hard drive manufacturers, they can maliciously tamper with the hard drive firmware.

Figure 5 Flowchart for Modifying Hard Drive Firmware

After dynamic debugging, Antiy analysis team discovered that the module interacts with win32m.sys by calling the function DeviceIoControl. Within win32m.sys, Antiy analysis team found multiple IoControlCode functions and analyzed their corresponding functionalities.

Figure 6 Functional Diagram Corresponding to IoControlCode

Antiy’s analysis team discovered that when IoControlCode is 0x870021D0, nls_933w.dll sends an ATA control command ( 0xEC) to the hard disk controller to obtain relevant hard disk information.

Figure 7 Obtaining Hard Drive Information

A comparison of data in memory before and after calling DeviceIoControl, and the return of disk information after the call:

ATA commands corresponding to other IoControlCodes require further analysis and discovery.

7.Mechanism Analysis of Attacks on Hard Drive Firmware

7.1 Hard Disk Structure and Working Principle

Whether it’s a traditional hard disk drive (HDD) or a solid-state drive (SSD), their overall structure is similar. A hard drive mainly consists of a processor, cache, boot ROM, and main storage media. For HDDs, there are also motor drive circuits and read/write head control circuits. A simplified block diagram is shown below:

Figure 8 Block Diagram of Hard Disk Principle

Since a hard drive’s circuit board already incorporates a CPU, memory, and ROM, it can be viewed as a small computer system capable of its own behavior under firmware control. Currently, most common hard drive processors are based on the ARM core, and newer hard drive controllers even employ multi-core architectures to ensure high-speed data transfer.

When the hard drive is powered on, the processor executes the on-chip Loader code. This code loads the Boot ROM into the cache and executes it (for the embedded processor on the hard drive, this is memory). The Boot ROM may be stored in the controller’s on-chip FLASH, a separate I2C EEPROM, an SPI FLASH chip, or the NAND FLASH array on the solid-state drive. After gaining control, the Boot ROM initializes the basic peripherals, initializes the main storage medium, loads the firmware from the main storage medium, starts the IDE/SATA bus interface driver module, and enters a standby state. At this point, the computer can operate the hard drive.

1)  Traditional Mechanical Hard Drives

For most modern hard disk drives (HDDs), the main body of the firmware is typically stored in hidden sectors on the disk platter. After the Boot ROM initializes the head assembly according to the calibration data, it reads the firmware data from the hidden sectors and transfers control to the firmware body. After the firmware body completes its own initialization, it loads and starts the bus interface driver module. At this point, the hard drive completes the power-on boot process.

The internal structure of a hard disk drive is shown in the figure:

Figure 9 Composition and Structure of Mechanical Hard Disk

(http://jingyan.baidu.com/article/ab0b5630d88efdc15bfa7d60.html)

Hard drive data is stored on disk platters. When the hard drive is working, the spindle drives the platters to rotate at high speed, and the read/write head hovers a few micrometers above the platters, performing read/write operations through the giant magnetoresistance effect. The drive arm uses a voice coil motor, composed of a strong magnet and a coil, to locate the content to be read or written. The return spring device shown in the picture provides a restoring force to the drive arm, ensuring that the read/write head automatically returns to the Park area when the hard drive is powered off. The Park area has a soft support pad to hold the read/write arm in place when the hard drive is not working, preventing scratches to the platters from external vibrations.

2) Solid State Drive

Compared to hard disk drives (HDDs), solid-state drives (SSDs) have a much simpler structure due to the absence of mechanical components. A typical SSD can be described using the diagram below:

Figure 10 Block Diagram of a Solid-State Drive and Its Controller

(“JMF608SATA III NAND Flash Controller datasheet”)

The left box in the diagram shows the solid-state drive (SSD) controller, while the right side shows the onboard peripherals and NAND flash array. Some controller models also require external data buffer RAM, or cache. As can be seen from the diagram, the controller itself can constitute a complete computer system, and its boot process is similar to that of a hard disk drive (HDD), so it will not be repeated here.

3)  Hard Drive Interface Specifications

Currently, both IDE and SATA hard drives follow the ATA command set. PCs use ATA commands to read and write to the hard drive.

ATA technology is a family of specifications related to IDE (Integrated Device Electronics). Initially, IDE was simply a hard drive interface technology primarily intended to integrate the controller with the disk drive. With the increasing widespread adoption of IDE/EIDE, a global standardization protocol summarized the technical specifications used since the interface’s inception into a global hard drive standard, thus creating ATA (Advanced Technology Attachment). ATA has undergone numerous modifications and upgrades since its inception, with each new generation of the interface building upon the previous one and maintaining backward compatibility. In addition to read and write commands, hard drives also support advanced features such as Self-Monitoring Assist (SMART), Capacity Setting (HPA), and Noise Management Assist (AAS). See “ATA/ATAPI Command Set-2 (ACS-2) ” (a massive standard document of over 500 pages!) for details.

7.2 Information Security Vulnerabilities of Hard Drives

It’s particularly noteworthy that most hard drives now support firmware upgrades (achieved by downloading microcode commands or manufacturer-specific commands). Users can update the firmware on their hard drives using ATA commands provided by the manufacturer. This allows hard drive manufacturers to fix firmware bugs without recalling products, instead using software tools to upgrade the firmware on the user’s system. For example, when Seagate released firmware update tools and instructions for its December 2008 hard drives that were malfunctioning, the company addressed the issue by flashing the firmware. A similar example is the Western Digital C1 gate incident.

The following diagram illustrates the firmware upgrade process using the Seagate SandForce SF-2200 series solid-state drive as an example:

Figure 11 Seagate SandForce SF-2200 Series Solid-State Drive Firmware Upgrade Flowchart

This mechanism for upgrading firmware via host software (in-system) is very convenient, but it also means there is a risk of the firmware being maliciously tampered with. Moreover, such tampering can be carried out through software operations without the user’s knowledge.

As mentioned earlier, a hard drive is itself a complete embedded system, with its internal firmware running independently of the computer’s hardware and software. The firmware completely determines the hard drive’s read and write operations, and can even process data autonomously without the host’s knowledge. If an attacker designs sophisticated code in the hard drive’s firmware, they can intercept and interfere with the user’s read and write operations, or gain ultimate control of the system through this means. All of this is done on the hard drive itself, and the user in front of the computer, as well as the computer’s hardware and software, are completely unaware of this process, and even if they are aware, they cannot intervene in such actions.

Figure 12 Jasmine Development Board Structure Diagram

( http://www.openssd-project.org )

Jasmine development board from the OpenSSD project (an open-source hard drive project for research purposes) as an example, if an attacker has a thorough understanding of the controller structure of a particular hard drive, including information such as the on-chip peripheral address space, then the attacker can use a carefully crafted modified firmware to intercept certain specific behaviors of the controller and modify the data in the cached DRAM during data transmission. For example, by intercepting the ATA read command 20h and tampering with the data in the cache when reading a specific sector, the attacker can make the data actually obtained by the computer inconsistent with the content stored on the disk, thereby achieving a bottom-up attack effect. This attack method completely bypasses the computer system by rewriting the data stream from the hard drive, so it can remain harmful even after reinstalling the system or even low-level formatting the hard drive.

8.Summary

Time always feels strangely familiar. On February 16—the 28th day of the 12th lunar month, with just two days left until the Spring Festival—information about the Equation attack group began to surface. This reminds us of the Slammer worm during the Little New Year in 2003, the Blaster worm on May Day in 2004, and the “ShellShock” vulnerability just before last year’s National Day. The difference, however, is that while those previous incidents tested our emergency response speed, the Equation Group attack is putting our comprehensive preparedness, depth of capability, and analytical patience to the test.

For Antiy’s analysis team, this was the first time they had felt so uneasy about releasing an analysis report. When they released the Dvldr (password worm) analysis report in 2003, they were so eager, hoping users would see their solutions as quickly as possible; when they released the Stuxnet analysis report, they were so reckless, believing their work was already sufficient; when they released the Flame series component analysis report, they were so lax—since the scale was too large to analyze all at once, they’d just do a relay-style analysis and release. But this time, it was completely different. They were stuck, not because of encryption, drivers, or hiding, but because of “hard drive firmware”. For attacks that are meticulously planned and launched in a single point, the defender’s understanding of the key to the problem often depends on how much manpower and time they are willing to invest.

We thought we were insightful, that we had been paying attention to embedded systems and firmware for a long time, and that we talked a lot about the generalization of threats. But when the threats actually appeared in front of us, we found that our opponents were more advanced and powerful, and how naive our so-called insight was.

What worries us equally is that reports on related incidents are becoming increasingly distorted. Many users have contacted us to verify and inquire whether “all hard drives have been infected with backdoor trojans”.

Therefore, although our analysis is ongoing, we still need to draw the following conclusions or judgments based on experience:

1.Firmware update mechanisms for hardware devices are an inevitable result of the development of software and hardware systems, and this mechanism itself cannot be called a backdoor. However, for many systems with firmware, the lack of an update mechanism would mean that problematic versions would not be patched, potentially leading to higher maintenance costs and also posing a significant security risk.

2. Based on the combined analysis results from Antiy, its competitors, and other organizations, it is speculated that the firmware writing behavior in the relevant attacks occurred when the malicious code sent back host information and was judged as a valuable target by the remote end. In other words, it is not a common behavior, but a high-level, conditional intrusion behavior.

3. Through long-term analysis and exploration, attackers can independently implement the relevant mechanisms without necessarily needing to infiltrate hard drive manufacturers to obtain technical documents, or even rely on hard drive manufacturers to proactively provide technical documents.

4.The key purpose of writing it into the hard drive firmware is to enable it to remain dormant and exist for a long time, but the upper-level operating capabilities still exist in the host system, and it can flexibly obtain other operating modules through the network.

5.Given the previous actions of relevant countries, we have reason to suspect that the same components could be used for supply chain hijacking, i.e., injected during the procurement, repair, or maintenance of specific host machines or hard drives. However, based on their operational methods and risk analysis, we have reason to believe that adversaries like Equation would typically not use this bootkit + firmware approach in batches.

6.However, we must also be wary of the warnings Bruce Schneier has issued. “More and more tactical behaviors from warfare are being applied to a wider range of cyberspace environments”, and once these new methods are exposed, they have a strong enlightening effect on the black market, thus leading to a proliferation of threats.

7. The attacks did indeed highlight security blind spots in the supply chain, specifically regarding the availability of effective signature verification mechanisms for hard drive firmware. Furthermore, for firmware already written to the hard drive, we haven’t found a low-cost, unconditional read interface. This design flaw makes detection and verification difficult for security analysts.

The planning of defensive positions cannot rely on imagined adversaries. Objectively viewing the relationship between security and development, conducting in-depth and specific analysis of threats, and assessing the strategies and paths of adversaries are always the cornerstones of our response to threats.

Appendix 1: References

1. Equation: The Death Star of Malware Galaxy

http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

2. A Fanny Equation: “I am your father, Stuxnet”

http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/

3. Equation Group: from Houston with love

http://securelist.com/blog/research/68877/equation-group-from-houston-with-love/

Appendix 2: Event Log

2015-02-18	Initiate event analysis and verification
2015-02-21	Antiy CERT and Micro-Embedded Joint Analysis Group Established.
2015-02-25	Initiate a comprehensive analysis.
2015-03-02	Begin writing the preliminary analysis report
2015-03-04	First version of the analysis report
2015-03-05	Antiy CERT has proofread the content and updated the version to V1.3.