It is incredible, even the most generous estimation of the NSA's capabilities before the Snowden disclosures now look conservative. This is the stuff conspiracy theories are made of.
UR = UNITEDRAKE ("Regin", basically?). And that'd probably be rmgree5@nsa.gov: that's the format their addresses are in.
This does seem to be, broadly-speaking, NSA's top-dollar brand-new 0-day-laden (at the time) malware, that they use to launch their less shiny stuff, which is more awkward and a massive overfunded modular boondoggle. This does not seem to be as freely shared around with the "Five Eyes".
By the way, there are innocent machines in the US infected with this thing, at this very moment. Anyone care to explain that?
The hard-drive component should be completely detectable, if you don't boot from it, based on the (small, sadly incomplete) fragment of (Cortex-M0?) stuff I've seen. Power-cycle it, send an ATA reset, read the MBR and following sectors. Look out for the NIC "option rom" persistence module, too - you may be well-advised to do it from something really exotic that doesn't run x86, just in case! (Independent hackers are running (ยต)Linux on hard disks now, so it's not surprising a huge agency able to spend billions of dollars of tax money funding contractors on tiny pieces of this project got something of a head start!) Not sure of a good way to detect it in software, but it's not perfect, so it probably can be redpilled somehow.
Watch for "CD-ROM"s that unexpectedly have ATIPs, I guess?
Detecting an infected hard drive in software would be the usual malware arms race: you find some characteristic of it, they improve the firmware.
But if we start to systematically check for it, it should be easy to discover via hardware debugging. Find the JTAG interface on the hard disk controller (or whatever debugging interface the specific processor uses), dump the firmware and compare it to firmware dumps from other hard drives of the same model. I don't see how they could fool that process (given that you have a clean machine to read out the firmware).
Of course to be thorough you would have to check pretty much the firmware of every component of the computer.
> dump the firmware and compare it to firmware dumps from other hard drives of the same model
And then ponder the unstated assumption that said other hard drives may or may not have been exploited already. Dealing with a state level actor is hard, in the "trusting trust" sense.
Well update your threat model appropriately. What are the realities if they've somehow hit every single hard disk in the US? What is the likelihood this level of subterfuge can be maintained? How many people are involved?
Just because you can imagine it doesn't suddenly make it practical, and it certainly doesn't mean they're going to burn that capability outing some guys porn habits either.
> What are the realities if they've somehow hit every single hard disk in the US?
Who knows. The problem is you're not so concerned with "every single" hard drive in the US, but you may well be concerned with the other one you wish to use as a benchmark.
When you're dealing with things like hardware being compromised on the way from the plant to the store, or (as mentioned) a burned CD being compromised in the mail, and other things that really only governments can do, it changes the whole nature of the threat model.
The malware might remain quiescent unless the examination techniques mimic a computer that is booting.
I might prefer to use an analyzer to monitor the disk channel of a machine that is booting and running.
Building an SATA probe/analyzer is within hobbyist knowledge and skill levels now. If you have money you can simply buy it from LeCroy and many others, or rent it by the month/week.
There's a specific reason I said to send an ATA reset first! IRATEMONK (for it is that) isn't that smart. Doesn't need to be.
If you want to test more thoroughly, or actually dump the object for analysis, as wongarsu says below, the JTAG port or the serial port is the way to go. That's how they get it in there.
Usually a booting PC will issue several identify commands and try a SMART health check, and if there is a RAID option ROM then specific series of READ will be issued. If it would really disclose itself with simple RESET, READ interrogation then I must be a better malware author than those players. I don't think I am, and I feel that if it would give itself away without ensuring that the OS is really booting, this is a big flaw. If it were my project, it would be a showstopper. I'm a noob in the sense that I have never considered malware before, so probably the developers (who are smarter than me) thought about it long before I did.
This flaw would also make it much simpler to write a script for MHDD that would reveal the infection on the infected target itself after booting from a floppy.
I think a JTAG probe is not especially useful to analyze a hard disk. The flash on the board is usually only a bootstrap and "physical driver" of sorts. The rest of the firmware is stored on the media - you can see that many disks do not even know what they are if you disconnect the heads and try to identify.
I think JTAG is not commonly in the toolbox of the data recovery guys who dump firmware modules and trade them. DR sometimes involves replacing corrupted firmware that is on the disk, or reprogramming a controller board to match one that's failed. They have bought software and serial port cables, and this seems to handle it for them, so I concluded that there must be a way to dump all of the firmware - on chips and disks - with ATA commands or the serial port, and we know from field-service tools that there is usually a way to update it all with only ATA commands.
Had a family member that worked for SPEA (test equipment manufacture). Said different government organizations would bring in boards with massively parallel sets of chips and input/output on them, like nothing they ever saw in any other field. They were expressly forbidden to take pictures of them.
Between that and the massive data centers they are building I'm guessing they have rather impressive capabilities.
This particular set of exploits has little to do with collecting information. This seems to be directly related to command and control operations, including over systems that aren't connected to the internet.
There are a pretty scary set of discovered exploits.
I believe this is not the correct thread, but how can anyone sift through so much data, in general? Private companies need simpler things, like people you are likely to know in the real world, from the data they acquire. But intelligence agencies need actionable intelligence. That would require something way more intelligent than a simple spam filter.
That depends on the data you are talking about. The operations described here don't seems to collect huge amounts of data. If you're talking about the usual dragnet surveillance: a lot of it seems to be relatively simple filters and simple data correlation.
For example, you can build huge social graphs with simple metadata. Then you can search for all people who communicate a lot with people who communicate a lot with some known terrorist leader. Of those people, you take just those using tor. If any of them plans to enter the US, you flag them to be detained and searched at the airport. If any of them is already in the US, you can tell FBI to check them out.
Or you can look for sudden changes in message volumes. If terrorist leader A suddenly starts to communicate a lot more with random person B and random person C, who in term start communicating with other people, you suddenly have a whole list of people who might be planning a terrorist operation.
Of course you still need huge computing capacity even for these relatively simple operations, but they certainly have the funds for a few datacenters.
> intelligence agencies need actionable intelligence
For the most part that hasn't really been how it's worked so far. Generally intelligence agencies have used the information they've gathered so far to try to manipulate people.
'were', I think, may be more operative. I first heard that statistic about a long time ago, more like the '70s. Mathematicians don't seem to be very useful to the NSA's current hacker paradigm. (Note what we haven't gotten from the Snowden leaks so far: any sort of major mathematical or theoretical advance. Amazing hacking infrastructure, though.)
NLP's foundation is in statistics, so calling it "not maths" seems rather short-sighted. Mathematics, especially statistics, play a crucial role in all data interpretation when you get to any kind of scale and they seem to be the biggest of them all.....
Its only really useful against non-terrorists, but that doesn't mean its a waste of money: if it is used to make money.
So maybe its being used to make money - i.e. targetting non-terrorists (i.e. industrial espionage) - precisely because it is a huge waste of money. Wow, its almost like the whole thing was just a bad idea in the first place - its become self-serving.
This does seem to be, broadly-speaking, NSA's top-dollar brand-new 0-day-laden (at the time) malware, that they use to launch their less shiny stuff, which is more awkward and a massive overfunded modular boondoggle. This does not seem to be as freely shared around with the "Five Eyes".
By the way, there are innocent machines in the US infected with this thing, at this very moment. Anyone care to explain that?
The hard-drive component should be completely detectable, if you don't boot from it, based on the (small, sadly incomplete) fragment of (Cortex-M0?) stuff I've seen. Power-cycle it, send an ATA reset, read the MBR and following sectors. Look out for the NIC "option rom" persistence module, too - you may be well-advised to do it from something really exotic that doesn't run x86, just in case! (Independent hackers are running (ยต)Linux on hard disks now, so it's not surprising a huge agency able to spend billions of dollars of tax money funding contractors on tiny pieces of this project got something of a head start!) Not sure of a good way to detect it in software, but it's not perfect, so it probably can be redpilled somehow.
Watch for "CD-ROM"s that unexpectedly have ATIPs, I guess?