Spies have long coveted the ability to compromise a computer’s booting process and, with it, the means of controlling just about every part of the machine.
The booting process — how a computer powers on — offers access to the machine’s operating system and all of the accompanying sensitive data. The crucial computing code that manages that booting process, known as UEFI firmware, represents a valuable target for hackers, though also one that remains difficult to infiltrate.
Researchers from security company Kaspersky on Monday revealed what they described as the second case of malicious UEFI firmware found in use in the wild. Security specialists found UEFI implants that appeared to be part of a larger hacking operation carried out by Chinese-speaking operatives against diplomatic organizations and non-governmental organizations in Africa, Asia and Europe.
It’s an apparent case of cyber-espionage that took place from 2017 to 2019, with the evident aim of gathering information related to North Korea. All of the hackers’ targets did work in that country, or somehow focused on it.
“It is highly uncommon to see compromised UEFI firmware in the wild,” Kaspersky’s Mark Lechtik and Igor Kuznetsov wrote in a blog. That’s partly because of the advanced capabilities needed for such attacks and “the high stakes of burning [a] sensitive toolset or assets when doing so.”
The only other example of that type of UEFI attack, according to researchers, was a suspected Russian hacking campaign in Europe in 2018.
The discovery shows that “this attack vector, which was discussed mostly as theoretical for many years, has become viable for threat actors,” Lechtik said in an email.
‘A natural evolution’ of UEFI implants
Because of the invasive nature of a UEFI compromise, the U.S. government and major technology companies have taken extra measures to guard against such attacks.
The National Security Agency, for example, last year announced a project that essentially places a machine’s firmware in a container, isolating it from would-be attackers. Separately, using microchips built by Intel, Microsoft is trying to lock down its latest personal computers from UEFI attacks in a security update in part inspired by the 2018 suspected Russian hacking campaign.
The UEFI implants uncovered by Kaspersky represent an intriguing case study. Some of the code is based on a leaked UEFI hacking tool made by HackingTeam, the infamous Italian seller of surveillance technology.
The Kaspersky researchers say they are unsure if the Chinese-speaking attackers physically delivered the malicious firmware on the target machines (a manual for the HackingTeam kit requires a USB key to install the code), or if it was done remotely.
However, the use of the UEFI implant offered the attackers prized access to their targets. The two computers that the hackers deployed the implant on in 2019 were located in Asia, and appeared to belong to diplomatic targets, Lechtik said.
Using the UEFI implant can “keep the machines in question persistently infected for a long time, possibly to facilitate an ongoing espionage campaign against those targets,” he added.
Jesse Michael, a researcher whose firm Eclypsium has investigated UEFI security weaknesses, said the newly revealed malware was more advanced than the original HackingTeam code and could be precisely trained on individual targets.
“It looks like a natural evolution of UEFI implant capabilities and we’re likely to see more of this showing up in the wild,” Michael said.