On Wednesday, a group of researchers from China’s Pangu Lab issued a 50-page report revealing a piece of Linux malware reportedly employed by the threat actor known as the Equation Group, which has been linked to the US National Security Agency (NSA).
It’s fairly uncommon for US cybersecurity firms to produce studies documenting the tools and actions of threat actors related to China’s government, and now a group of Chinese academics has released a report detailing a piece of malware linked to the US government.
Pangu Lab is a research initiative run by the Pangu Team, best known for its iPhone jailbreaks. Last year, they won $300,000 in a big Chinese hacking competition thanks to an iOS flaw.
Bvp47 is the name of the backdoor reported by the researchers this week. It was first discovered in 2013 while researching an event involving a Chinese government entity. They thought it was a “top-tier APT backdoor” at the time, but further study required a private key, which they couldn’t get.
The malware was given the moniker Bvp47 after the “Bvp” string that was frequently discovered in its source code, as well as the “0x47” number used in an encryption technique.
A mystery group known as The Shadow Brokers exposed massive volumes of data reportedly taken from the NSA-linked Equation Group in 2016 and 2017, including various hacking tools and exploits. Pangu Lab researchers discovered the private key they required to investigate the Bvp47 backdoor in those releases.
The virus was employed as part of a campaign named “Operation Telescreen” by the researchers, which appears to have targeted over 300 companies in 45 countries over the course of a decade.
According to Pangu Lab, the backdoor was utilised against companies in the telecommunications, higher education, military, scientific, and economic development sectors in North America, Europe, and Asia.
Bvp47 incorporates rootkit, security feature bypass, anti-forensics, self-deleting, and other capabilities that appear to be designed to provide its operators long-term control over compromised machines.
“The tool is well-designed, powerful, and adaptable,” according to Pangu Lab. “Its network assault capabilities, which was armed with zero-day vulnerabilities, was unstoppable, and its data acquisition under covert control was simple.”
In addition to a technical analysis of Bvp47, Pangu Lab’s study tries to draw connections between the malware, the Equation Group, and the NSA.