Israeli and Russian researchers reveal rare malware that targets UEFI firmware

Hackers associated with China used the difficult-to-remove malware to spy on diplomats and NGOs, say Kaspersky researchers

Raphael Kahan 10:0906.10.20
A pair of researchers, one Israeli and one Russian, from cybersecurity company Kaspersky, have revealed a new and sophisticated type of malware that takes advantage of a computer’s UEFI (Unified Extensible Firmware Interface) firmware and cannot be removed using traditional solutions.

 

The interface is installed on the motherboard of every computer and is used during its initial powerup and booting, providing it with access to its operating system and all of the accompanying sensitive data.

 

 spy on users. Photo: ShutterstockHackers use security vulnerabilities to spy on users. Photo: ShutterstockHackers use security vulnerabilities to
The malware, which the researchers dubbed MosaicRegressor, was first detected several months ago, according to Mark Lechtik, the Israeli researcher. In an interview with Calcalist he said that the people behind the malware are likely Chinese and possibly linked to or operating under Chinese authorities. The reason he suspects state involvement, he said, is because the level of the malware’s sophistication requires highly advanced R&D and extensive resources.

 

The interesting part here is the way the malware operates. Its source is a vulnerability first discovered five years ago by Italy-based Hacking Team. The company, which is often compared to Israel’s NSO, had for years gathered data on breaches and vulnerabilities that it used to develop the spyware and tracking tools it sold to its clients— mostly states and spy services. The vulnerability was exposed when the Italian company’s own computers were hacked into, a breach which led to the company’s shady deals with dictatorships and totalitarian regimes coming to light. Some of the deals, by the way, also involved Israeli companies.

 

Unlike other leaks of cyber-related weapons, it took several years to develop malware to take advantage of the revealed breach. Lechtik added that the developed malware requires physical access to the computer, so it is not one that is easy to operate. That said, from the moment it is installed, it is extremely difficult to get rid of using the available cyber tools and is nearly impossible to delete.

 

The reason is that the EUFI system is not operated from the computer’s hard drive, but rather from a chip that’s connected to the computer’s motherboard, which means it would survive even complete formatting of the computer. In order to remove it, the EUFI needs to be re-wired or the motherboard needs to be replaced.

 

This is not the first malware to attack the EUFI, two years ago a similar tool was discovered during a campaign by Russian hacking team Fancy Bear, which is considered to be an arm of the Russian espionage services. Unlike the previous case, however, this time the malware operators appear to be from China. So far it has been used in a number of attacks against NGOs and diplomats in various African, European and Asian countries.

 

According to the researchers, the only commonality between the victims so far has been some sort of link to North Korea. All of the hackers’ targets did work in that country, or somehow focused on it. It is not clear why elements associated with China would be interested in tracking North Korea, which is officially a Chinese ally, but the chief concern now is that the malware will be improved and spread out further. It is hard to assess how much damage such malware can cause if it ends up in the hands of criminal or unconscientious operators.