A hacker group codenamed Equation successfully infiltrated thousands of government agencies and private companies with a variety of attack tools referred to as the 'Death Star' of malware.
Researchers at Kaspersky Lab's Great team uncovered the Equation campaign, warning that it has infected thousands, if not tens of thousands, of systems using a next-generation portfolio of "implants", i.e. trojans.
Victims include government and diplomatic institutions, military bodies, Islamic activists and scholars, as well as telecoms, aerospace, energy, nuclear research, oil and gas, nanotechnology, transport, finance, media and encryption firms.
The tools used by Equation are listed as some of the most advanced ever seen, and include EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish.
Kaspersky warned that there are likely to be more undiscovered tools in Equation's arsenal.
Great director Costin Raiu explained that the malware's ability to infect hard drives is particularly dangerous as it lets the group remain undetected and grants "resurrection" abilities capable of surviving disk formatting and OS reinstallation.
"Once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware. To put it simply: for most hard drives there are functions to write into the hardware/firmware area, but there are no functions to read it back," he said.
"It means that we are practically blind, and cannot detect hard drives that have been infected by this malware."
The malware also creates an invisible "persistent" area in hard drives using the GrayFish implant. The area is used to save stolen information for later collection by the attackers and can be used to crack encryption protocols.
"Taking into account the fact that the GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area," explained Raiu.
The Fanny component was marked as particularly interesting as it can bypass air gap defences and is spread using a "unique USB-based command and control mechanism".
The attack method uses infected USB sticks with a hidden storage area that collects system information from victim systems when activated.
The USB then stores all the information it can and forwards it to command and control servers owned by the hackers when it is inserted into a machine with an active internet connection.
Kaspersky discovered Fanny in 2008 when its systems caught the malware targeting two zero-day exploits. These were later uncovered during the discovery of Stuxnet and Flame.
The links with Stuxnet and Flame, which are believed to be state sponsored, led to rumblings that the US National Security Agency (NSA) may have had a hand in creating Equation.
The NSA is known to have developed sophisticated attack tools for past cyber operations.
An NSA spokesperson told V3 the agency is aware of Equation, but declined to address any "speculated" links.
"We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details," read the statement.
The Equation group's C&C infrastructure is spread out geographically and includes more than 300 domains and more than 100 servers in the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic, among others.
Equation is one of many high-profile cyber attacks uncovered in recent months. Kaspersky reported on a hacker group codenamed Carbanak on Monday that had stolen over $1bn from 100 banks in more than 30 regions.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches