Kaspersky Lab reveals NSA malware that infects Hard Drive firmware

Tm Net has detected a fault on the Asia-America Gateway (AAG) Submarine Cable
February 5, 2015
BolehVPN's Warrant Canary
February 20, 2015
Show all

Kaspersky Lab reveals NSA malware that infects Hard Drive firmware

Kaspersky Lab, a prominent antivirus vendor has recently revealed that an advanced hacker group whom they call the “Equation Group” has been successfully installing malicious hard drive firmware in more than a dozen hard drive vendors (basically everyone).  By reprogramming the HDD (hard drive) firmware, it is an extremely persistent infection that cannot be wiped by formatting the drive or by reinstalling the operating system. It acts as “an invisible, persistent storage hidden inside the hard drive”. This malware is surreptiously named “nls_933w.dll“.

Although Kaspersky Labs do not name the NSA, Reuters’ sources confirmed that this firmware was a NSA creation and this is further evidenced with the malware’s close links to other seemingly politically and defense motivated malware programs such as Stuxnet and Flame.



On the bright side, the targets of this malware seem to be mainly in the Middle East or Russia and according to Vitaly Kamluk, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team,

“Only a very select list of victims receive this. This is one of the most rare modules I have seen because it is so valuable, so they don’t want to expose it. It’s a precious plugin that’s used only in specific cases with somebody very important.” 

It is also very hard to detect:

“It’s extremely hard to detect. From the software level it’s impossible. You have to disassemble your PC to take out the hard drive and give it to an expert to dump the firmware. And then we think very few people in the world would be capable of analyzing, comparing and revealing the malicious code within that firmware. It’s an extremely rare specialist in this area.” 

So what do we do?


Destroy it!



At the moment, it isn’t clear how we can check if we are detected and our searches for a removal tool yielded some unconvincing ‘removal tools’ of doubtful integrity. Just hang in tight and in general if you’re not a high value target, most likely you’re not affected.



  1. FrankN.Stein says:

    Is it really possible, while I’m sitting here running my computer, for some hacker (NSA) to flash the hard drive firmware? I’ve flashed the motherboard, graphics card and modem, and it’s always a bloody drama, followed by a message demanding an instant re-boot!

    • Reuben says:

      No, mostly likely those hard drives come out of the factory and then are intercepted and then delivered. There is some evidence that the NSA does this already.

  2. FrankN.Stein says:

    So, the spooks sit outside the factories that make these HDs, wait for the trucks to exit and then hi-jack them, flash the lot, which would amount to perhaps a couple of thousand; then make sure they were all shipped to the intended target country!? Super spooks, or Kaspershy Lab causing fear and angst?

  3. Reuben says:

    It wasn’t the first time the operators—dubbed the “Equation Group” by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group’s extensive library. (Kaspersky settled on the name Equation Group because of members’ strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.)

  4. Drac.U.La says:

    Frankly the only way this kind of nonsense is going to stop is for the criminal thugs of the NSA to be held accountable. Americans need to put the scum responsible on trial for treason and sedition, applying the death penalty upon a guilty verdict.

  5. Robin says:

    Such a shocking news. They just want to keep us under their radar. I hope kaspersky works and brings some removal tool to help people privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *