Security researchers at Beijing-based Pangu Lab say they have uncovered evidence showing that an advanced backdoor program used against targets in 45 countries originates from the United States National Security Agency (NSA) linked The Equation Group hackers.
The malware, Bvp47, was first found in 2013 when Pangu Lab researchers extracted a set of advanced backdoors or software used for covert remote access and control from a computer runniing Linux in a Chinese domestic government department.
Now, the Pangu Lab researchers say they have been able to conclude that Bvp47 was part of the cyber arsenal of NSA-linked The Equation Group.
As part of a series of leaks of The Equation Group hacking files in 2016 and 2017 by The Shadow Brokers, Pangu Lab found an encrypted private digital key that is used to remotely trigger the Bvp47 backdoor.
According to the researchers, the Bvp47 backdoor uses “advanced covert channel behaviour based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design,” Pangu Lab wrote.
“The tool is well-designed, powerful, and widely adapted. Its network attack capability equipped by 0day vulnerabilities was unstoppable, and its data acquisition under covert control was with little effort,” Pangu Lab said.
Security researcher Kevin Beaumont said Bvp47 means the cybersecurity industry should realise the significance of misuse of the Enhanced Berkely Packet Filter tool that can be used to fully trace user operations in Linux and Windows without files written to disk or other revealing behaviour.
Labelling Bvp47 a “top-tier backdoor of NSA”, Pangu Lab saying it was used for network intrusion attacks on more than 287 targets in 45 countries.
However, Western security researchers are casting doubts as to Pangu Lab’s findings, with notable cryptographer Matthew Green calling the report confusing.
Mildly confusing document from Pangu Lab, appears to reverse-engineer an NSA backdoor from the Shadow Brokers leaks. https://t.co/frogNQJTZ5
— Matthew Green (@matthew_d_green) February 23, 2022
Apart from US adversaries such as Russia and China, Bvp47 was used against telcos, academia, and military targets in key European Western-allied nations as well.
Pangu Lab added that The Equation Group “is the world’s leading cyber-attack group” which is in a “dominant position in national-level cyberspace confrontation.”