On December 29, 2013, Der Spiegel, a German weekly news magazine, published an article about an internal NSA catalogthat lists technology available to the NSA's Tailored Access Operations (TAO). Among that technology is "IRATEMONK".
"IRATEMONK provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) substitution."
"This is probably the most interesting of the BIOS-type implants."
"yet the cost of evading the 'boot from CD' detection is now you have guaranteed 'NSA WAS HERE' writ in big glowing letters if it ever IS detected."
Well, funny story — components related to IRATEMONK have now been detected — by the folks at Kaspersky Labs. Kaspersky's research paper refers to a threat actor called the "Equation group" whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA's ANT catalog.