Malware linked with the National Security Agency that has been used to spy on computers around the world​​​​​​​​​​ threatens to ma​​​ke the Internet less safe by spreading sophisticated infections that are increasingly difficult to remove.

Hackers code-named the Equation group are said to have infected computers in 30 countries with “highly sophisticated” spyware that resembles code and techniques used by the Flame virus and the Stuxnet worm designed by the NSA and Israel for use against Iran, cybersecurity firm Kaspersky Lab reported this week. ​Kaspersky, which named the hacker group based on the complexity of its methods, characterized it as "the most advanced threat actor" it had seen but ​stopped short of explicitly connecting it to the spy agency.



Former intelligence operatives told Reuters the NSA was involved with the Equation group and its efforts to manipulate computers using the malware. If that were true, it could damage President Barack Obama’s efforts both to rebuild trust in spy agencies and to reassure the tech industry that government is interested in upholding cybersecurity rather than weakening it for surveillance purposes.

The Stuxnet worm and the Flame malware derived from it were designed by the U.S. and Israel to sabotage Iranian nuclear facilities, according to The New York Times. But Stuxnet’s infection spread to unintended targets, including the networks of California-based Chevron Corp., and showed the risk of collateral damage with cyberattacks​.

The Equation group's malware has infected a broad range of targets, including government and military organizations, telecom and energy businesses, banks, nuclear researchers, the media and Islamic activists, according to Kaspersky. Malware has targeted most of these groups in Iran, along with Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria, the cybersecurity firm reports.

The U.S. may not be on that list, but the malware is a threat to the entire Internet because “everything depends on everything else” in our interconnected digital world, according to a blog post by Bruce Schneier, a fellow at Harvard University’s Berkman Center for Internet and Society.

“We need to figure out how to maintain security in the face of these sorts of attacks, because we're all going to be subjected to the criminal versions of them in three to five years,” Schneier said.

The NSA itself has expressed similar concerns that Iran may have improved its hacker strategy by learning tricks from U.S. online attacks, according to a 2013 agency document leaked by former contractor Edward Snowden and published by The Intercept. NSA documents disclosed by Snowden indicate the agency has used malware infection as part of its digital spying strategy.

The Equation group’s spying software attaches itself to the firmware of a computer, launching when a computer boots up and making it nearly impossible to remove, according to Kaspersky. The spyware takes control of a hard drive, allowing the hacker to remotely monitor or steal anything they like. Along with using a computer worm to spread the virus, the group’s methods include infecting disks and thumb drives, according to Kaspersky.



The malware reportedly has self-destruct abilities, but those may not always be able to protect unintended targets, says Ben FitzGerald, director of the Technology and National Security Program at the Center for a New American Security think tank.

“Any tool that weakens security weakens the security of the Internet overall,” says FitzGerald, a former IBM employee who consulted for Australian intelligence.

The average hacker will have difficulty repurposing the Equation malware code because of its sophistication, but the program’s strategy of attacking a computer’s firmware could give criminals “tips and tricks by knowing what to exploit,” he says.

While “it’s hard to say” if the NSA was involved, FitzGerald says the Equation malware echoes concerns about the acceptable limits of online spying and highlights the question, “Is malware a 21st century analog to a listening device?”