When a hacking organization’s secret tools are stolen and dumped online for anyone to pick up and repurpose, the consequences can roil the globe. Now one new discovery shows how long those effects can persist. Five years after the notorious spy contractor Hacking Team had its code leaked online, a customized version of one of its stealthiest spyware samples has shown up in the hands of possibly Chinese-speaking hackers.
At an online version of the Kaspersky Security Analyst Summit this week, researchers Mark Lechtik and Igor Kuznetsov plan to present their findings about that mysterious malware sample, which they detected on the PCs of two of Kaspersky's customers earlier this year.1 The malware is particularly unusual—and disturbing—because it's designed to alter a target computer’s Unified Extensible Firmware Interface, the firmware that is used to load the computer’s operating system. Because the UEFI sits on a chip on the computer’s motherboard outside of its hard drive, infections can persist even if a computer’s entire hard drive is wiped or its operating system is reinstalled, making it far harder to detect or disinfect than normal malware.
The malware the Kaspersky researchers discovered uses its UEFI foothold to plant a second, more traditional piece of spyware on the computer's hard drive, a unique piece of code Kaspersky has called MosaicRegressor. But even if that second-stage payload is discovered and wiped, the UEFI remains infected and can simply deploy it again. "Even if you would take the physical disk out and replace it with a new one, the malware will keep reappearing," says Lechtik, who along with Kuznetsov works as a researcher on Kaspersky's Global Research and Analysis Team. "So I think to date, it's the most persistent method of having malware on your device, which is why it is so dangerous."
The new UEFI malware is based on a hacking tool known as VectorEDK, created by Hacking Team, the now defunct hacking-for-hire contractor based in Italy. Hacking Team was breached in 2015 by the hacktivist known as Phineas Fisher, who stole and leaked a vast collection of the company's internal emails as well as the source code for many of its hacking tools, including VectorEDK. That tool, which was intended to be installed with physical access to a target machine, has now been repurposed, with some customizations that change where the UEFI malware places its secondary malware payload on the victim's hard drive.
Kaspersky says it found the UEFI malware on PCs used by diplomatic targets in Asia, but declined to say more about those victims, and it concedes that it doesn't know how the UEFI malware first got there. But Kaspersky did find that the MosaicRegressor payload that the UEFI malware subsequently planted on those machines also appeared on other victims' computers around the world, including on those of diplomats and NGO staff in Africa, Asia, and Europe, all of whom had worked on issues related to North Korea, Kaspersky says.
Some of those instances of MosaicRegressor were delivered not by any sort of UEFI malware but with more typical phishing emails in Russian and English that carried malicious attachments posing as North Korea–related documents. That MosaicRegressor payload came in the form of a downloader capable of installing new modular components of the malware from a remote server, and the Kaspersky researchers say they weren't able to obtain most of those components. But they did see signs in some cases that the hackers had carried out the typical espionage tactic of collecting and compressing files to ferret back to a server they controlled.
As for the identity or nationality of the hackers behind the new UEFI malware, Kaspersky says it's found only sparse clues, none definitive enough to conclusively link the hackers to a known group. But the researchers note multiple language hints in the hackers' code: one that indicates they wrote in either Korean or Chinese, and another that suggests more clearly they wrote in the simplified Chinese used in mainland China. Kaspersky also observed that the hackers appear to have used a document-builder tool called Royal Road that's popular among Chinese-speaking hackers.
Finally, they point to a blog post by researchers at the security firm ProtectWise, who connected a command-and-control server and a lure document identified by Kaspersky to the loose collection of overlapping Chinese hacker groups broadly known as Winnti, or APT 41. Five of those hackers were indicted earlier this month and accused of working on behalf of China's Ministry of State Security.
If Chinese hackers are indeed hacking their victims' UEFI to hide their malware, they wouldn't be the first. Aside from Hacking Team—whose VectorEDK malware has never been publicly reported as seen in the wild—WikiLeaks' release of secret CIA documentation of hacking tools known as Vault 7 revealed that the agency used methods for hacking the UEFI of macOS machines by inserting a physical tool into their Thunderbolt port. In 2018 the cybersecurity firm ESET found that the Russian hacker group known as Fancy Bear or APT28 was hacking the UEFI of its victims to install a modified version of LoJack, UEFI code intended to serve as an antitheft tool repurposed for espionage.
But Kaspersky's new UEFI malware discovery is only the second ever obtained from a victim's machine, and in some sense it is the first purpose-built UEFI malware to be seen in use. "It's the first known proprietary custom UEFI backdoor that is not based on some well-known white-hat software, but was intended from the beginning to be a malicious one," says Kuznetsov.
The Kaspersky researchers argue that the new UEFI malware should serve as a warning that the security and computing industries need to take that type of attack more seriously, by adding UEFI scans in antivirus products and implementing protections against unauthorized UEFI meddling, some of which already exist in UEFI code but aren't always implemented by PC manufacturers.
The case also demonstrates how long the effects of a leaked hacking tool can linger. When the mysterious hackers known as the Shadow Brokers leaked a set of NSA hacking tools in 2017, they were used within just weeks in cyberattacks like WannaCry and NotPetya that caused billions of dollars in damage. Some of Hacking Team's leaked malware also reappeared almost immediately in copycat hackers' tool sets after the company was disemboweled, rather than the five years it took for the UEFI spyware to resurface. But now that it's been put to use once, it may not be long before we see it again.
"We do usually expect some kind of an arms race by different groups when a tool leaks," says Kuznetsov. "So I think it's very important that researchers look closer at UEFI modules. Because once it goes out, once it's used in the world, there are usually some other groups that will be going into the arms race."
1Correction 10/5/2020 11:00am EST: A previous version of the story misstated the date of the Kaspersky researchers' presentation.