A team of researchers from China’s Pangu Lab released a 50-page report on Wednesday detailing Linux malware allegedly used against numerous targets by the threat actor known as the Equation Group, which has been linked to the National Security. Agency (NSA) of the United States. .
It’s not uncommon for cybersecurity firms in the United States to release reports detailing the tools and activities of threat actors linked to the Chinese government, and now a group of Chinese researchers has released a report detailing related malware. to the US government.
Pangu Lab is a research project of Pangu Team, which is best known for its iPhone jailbreaks. An iOS exploit netted them $300,000 last year in a major Chinese hacking contest.
The backdoor detailed by researchers this week has been dubbed Bvp47 and it was first discovered in 2013 while investigating an incident affecting a Chinese government organization. They determined at the time that it was a “high-profile APT backdoor”, but further investigation required a private key which they were unable to obtain.
The malware was named Bvp47 based on the string “Bvp” commonly found in its source code and the value “0x47” used in an encryption algorithm.
In 2016 and 2017, a mysterious group calling itself The Shadow Brokers leaked large amounts of data that was allegedly stolen from the NSA-linked Equation group, including numerous hacking tools and exploits. In these leaks, Pangu Lab researchers found the private key they needed to further analyze the Bvp47 backdoor.
According to the researchers, the malware was used in a campaign they dubbed “Operation Telescreen,” which appears to have targeted nearly 300 entities in 45 countries over a period of more than a decade.
The backdoor has been used against organizations in the telecommunications, higher education, military, science and economic development sectors in North America, Europe and Asia, Pangu Lab said.
Bvp47 appears to be designed to provide its operators with long-term control over compromised devices and it includes rootkit, security feature bypass, anti-forensics, self-removal, and other capabilities.
“The tool is well-designed, powerful and widely applicable,” Pangu Lab said. “Its network attack capability equipped with 0day vulnerabilities was unstoppable, and its data acquisition under covert control was done with little effort.”
Pangu Lab’s report – in addition to a technical description of Bvp47 – tries to highlight the links between the malware, the Equation group and the NSA.
Related: Researchers dive into ‘DoubleFeature’ equation cluster tool
Related: Unknown Chinese APT Targets Russian Defense Sector
Related: VMware fixes vulnerabilities disclosed in Chinese hacking contest