Researchers from China’s Pangu Lab have disclosed details of a “top-tier” backdoor put to use by the Equation Group, an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA).
Dubbed “Bvp47” owing to numerous references to the string “Bvp” and the numerical value “0x47” used in the encryption algorithm, the backdoor was extracted from Linux systems “during an in-depth forensic investigation of a host in a key domestic department” in 2013.
The defense research group codenamed the attacks involving the deployment of Bvp47 “Operation Telescreen,” with the implant featuring an “advanced covert channel behavior based on TCP SYN packets, code obfuscation, system hiding, and self-destruction design.”
Bvp47 is said to have been used on more than 287 targets in the academia, economic development, military, science, and telecom sectors located in 45 countries, mainly in China, Korea, Japan, Germany, Spain, India, and Mexico, all the while going largely undetected for over a decade.
The elusive backdoor is also equipped with a remote control function that’s protected using an encryption algorithm, activating which requires the attacker’s private key – something the researchers said they found in the leaks published by the Shadow Brokers hacker group in 2016.
images from Hacker News