1. 4

  2. 7

    This isn’t actual malware, it’s hypothetical malware from academia requiring fairly substantial control over the system — as in flashing the drive firmware levels of access.

    Is it possible? Probably

    Plausible? I doubt it. Maybe if you were a specific target rather than bog standard infected warez, etc

    1. 2

      It’s plausible for very targeted supply chain attacks. If a sophisticated attacker knows that their target has ordered hard drives, they can potentially dispatch compromised drives of the same model to arrive faster and purport to be from the real supplier.

      Certainly within the capability of a state actor conducting an ongoing intelligence operation. Tbh the resourcing required would be within reach of large commercial organizations, although I don’t know of any evidence that any large corporations have non-state-affiliated espionage programs.

      It’s probably resource feasible for mounting a targeted, very high value ransomware attack, but again it’s not clear that this kind of targeting is economically attractive to ransomware groups.

      This is plausible if your threat model includes well resourced parties who quite specifically want to get you. Which for some people is a real thing.

    2. 2

      Oh and for large organizations you can probably just ship some hard drives to one of their IT units and they won’t even realize they didn’t order the drives.

      Or an “evil maid” attack could potentially insert the drives into the IT organization’s stash of drives.