1

Does anyone know of a method to wipe a HDD that gives a high degree of confidence that any malware present will not persist when the OS is reinstalled? Using tools on Linux and/or Windows?

We have approx 70 SSD's ranging in size from 480gb-1TB from a variety of manufacturers pulled from workstations compromised by a hostile foreign state. The network was compromised when several workstations were rebuilt using a Win 10 image later found to contain backdoors/malicious code as a result of a larger organisational wide attack.

The machines themselves have been replaced, it's only the SSDs we'd like to avoid throwing out. Steps have been taken to lockdown the network they'll sit in with very little traffic allowed out and between hosts. There is also a high degree of network monitoring in place looking for patterns/behaviors identified during the original breach... So we have a high level of confidence should any malicious code break out it will be identified and contained.

The larger organisation is in the process of rebuilding from the ground up, however the network in question was under the control of a separate entity - where a need for a more economical approach is required.

Edit: The foreign actor is believed to be from the far east or a close ally. The organisation targeted was a federal government department in a country who is a member of the five eyes.

This was an advanced, targeted attack, with compromised boot code found on desktops and servers. While no evidence of malicious SSD/HDD firmware was found, it can't be ruled out due to the capability demonstrated in other areas. This is definitely not run of the mill adware.

forest
  • 64,616
  • 20
  • 206
  • 257
Hvdm
  • 11
  • 4
  • If you format the drive it should be sufficient, if you want to be paranoid use a live linux disk and something like gparted to do multiple passes on the drive. CCleaner also has a good forensic grade drive wiper. – Joe Feb 21 '18 at 14:15
  • @TomK., "hostile foreign state" implies a very different threat level than the opportunistic malware installation in that question. – Mark Feb 21 '18 at 21:06
  • This question would be greatly improved if you specified *which* hostile foreign state you're talking about. The correct response to a compromise by the United States or Russia is very different from a compromise by Vanuatu or Sierra Leone. – Mark Feb 21 '18 at 21:11
  • @Mark As far as I understand the matter the OP wants to wipe the HD no matter what. It might be interesting to look into the infection depending on the nation state (if this is really what happened), but in the end, the disk has to be wiped. – Tom K. Feb 21 '18 at 21:19
  • @TomK., if the NSA is going all-out against you, wiping the data area is insufficient. – Mark Feb 21 '18 at 21:48
  • 1
    Doesn't seem a dup of `How to wipe potentially infected SSD?` as that unanswered question doesn't discuss firmware compromise. – Neil Smithline Feb 25 '18 at 16:44

1 Answers1

3

TLDR: Toss 'em. It's the only option.

You're asking for a way to ensure that the drives haven't been tampered with by a proven motivated and well-funded state actor. But I can see no way to be sure that the firmware is secure.

The best option I can think of is to read the firmware from a potentially-compromised drive and a known-untampered drive of the same model, then do a comparison. The problem with this strategy is that you have to trust the potentially-compromised drive to accurately report what is in its firmware. But the drive is potentially compromised, so you can't trust it. How can you be sure that it doesn't returns different data for diagnostic access v. actual use.

I know that this sounds far-fetched, but you are ascribing great skill and resources to the attackers. Toss the drives and eat the cost. Sorry :(

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • For that matter, if the "hostile foreign state" is the US, you'll need to toss the entire computer. The NSA is known to have hardware keyloggers and backdoors that can replace virtually any part of the computer (eg. the network jack). – Mark Feb 27 '18 at 22:28
  • 1
    @Mark Many other countries have the same level of access. – forest Mar 05 '18 at 07:19