Details of NSA-linked Bvp47 Linux backdoor shared by researchers
The backdoor went almost unnoticed for nearly 10 years
Researchers from China-based cyber security firm Pangu Lab have revealed details of what they claim is a sophisticated APT backdoor that was used by the US National Security Agency's Equation Group to compromise highly targeted Linux systems around the world.
The researchers said they first extracted the code of this backdoor, dubbed 'Bvp47', in 2013 while conducting a forensic analysis on a host in a key domestic department.
Based on several references to the string 'Bvp' in the sample and the numerical number '0x47' used in the encryption process, they named the malicious code as 'Bvp47'.
The Bvp47 sample obtained from the forensic investigation appeared to be an APT backdoor, according to the researchers. However, they could not investigate the malicious code further to determine who was behind the hack as the code's remote control function was protected through the RSA asymmetric cryptography technology, which required a private key to enable the function.
In 2016, the hacker group the Shadow Brokers released a bunch of files reportedly stolen from the NSA's cyberattack team Equation Group, enabling the Chinese researchers to discover the private keys and put the pieces together.
After further analysing the sample, the researchers concluded that the backdoor was made by Equation Group.
In 2017, Shadow Brokers published more hacking tools and exploits created by the NSA, some of which were subsequently used in security breaches around the world, including the WannaCry ransomware attacks and NotPetya worms attacks.
According to the Pangu Lab report, the Shadow Brokers' files suggested that the Equation Group attacked over 287 entities in 45 countries, including Germany, Japan, Russia, Spain and Italy over 10 years.
One victim in Japan was used as a jump server for further attack, according to the report.
The attacks employing the Bvp47 backdoor are dubbed as 'Operation Telescreen' by Pangu Lab.
A telescreen was a device envisioned by George Orwell in his novel 1984 that enabled the state to remotely monitor others to control them.
According to Pangu Lab researchers, the malicious code of Bvp47 was developed to give operators long-term control over compromised machines.
'The tool is well-designed, powerful, and widely adapted. Its network attack capability equipped by 0-day vulnerabilities was unstoppable, and its data acquisition under covert control was with little effort,' they said.
Complex code, Linux multi-version platform adaption, segment encryption and decryption and extensive rootkit anti-tracking mechanisms are all part of Bvp47's implementation. It also features an advanced BPF engine, which is employed in advanced covert channels, as well as a communication encryption and decryption procedure.
The researchers say the attribution to the Equation Group is based on the fact the sample code shows similarities with exploits contained in the encrypted archive file 'eqgrp-auction-file.tar.xz.gpg' which was posted by the Shadow Brokers after the failed auction in 2016.
'Judging from the attack tools related to the organisation, including Bvp47, Equation Group is indeed a first-class hacking group,' the researchers said.