On February 23, Beijing Qi'an Pangu Lab Technology Co., Ltd. (hereinafter referred to as "Pangu Lab" or Pangu Lab) published a report on its www.pangulab.cn web page, the report content is about the top US backdoor—— Full technical details of Operation Telescreen (Bvp47) and affiliation with the attacking group have been revealed.
According to Pangu Labs, "Operation Telescreen" (Bvp47) is a top-level backdoor created by the super hacker group "Equation" affiliated to the NSA (US National Security Agency) to spy on and control the victim organization's network after intrusion. At present, it has violated 45 countries and regions around the world.
On the Pangu Lab page, "Pangu Lab" lists the complete chain of technical evidence for this top-level backdoor:
"In 2013, a researcher from Pangu Lab extracted a complex encrypted Linux platform backdoor in the process of investigating the host of a domestic key department. , Self-destruction design has never been seen before. In the case that it cannot be fully decrypted, it is further found that this backdoor program needs a check code bound to the host to run normally, and then the researchers cracked the check code and successfully ran this The backdoor program, which is a top-level APT backdoor program from some behavioral functions, but further investigation requires the attacker's asymmetric encrypted private key to activate the remote control function, so far the researcher's investigation has been blocked. Based on the most common strings in the sample The value 0x47 is used in 'Bvp' and the encryption algorithm, named 'Bvp47'.
In 2016, the well-known hacker group 'The Shadow Brokers' claimed to have successfully hacked into the 'Equation Group', and in 2016 and 2017 successively released a large number of 'Equation Group' hacking tools and data. The members of Pangu Lab discovered a group of files suspected of containing private keys from the documents published by the 'shadow broker', which happened to be the only asymmetric encryption private key that can activate the top-level backdoor of Bvp47, which can directly and remotely activate and control the top-level Bvp47. back door. It can be concluded that Bvp47 is a hacking tool belonging to the 'Equation Group'. "
After further research, Pangu Lab found that the multiple procedures and attack operation manuals disclosed by the "Shadow Broker" were the only one used in the operation manual of the NSA network attack platform exposed by Snowden in the "Prism Gate" incident in 2013. The identifiers match exactly.
According to Pangu Labs, "Given that the U.S. government has charged Snowden with three counts of 'unauthorized dissemination of national defense information and intentional dissemination of classified information', it can be concluded that the documents released by the "shadow broker" are indeed NSA's. It also fully demonstrates that the Equation Group is affiliated with the NSA - Bvp47 is the NSA's top backdoor."
It is reported that the scope of victims revealed by the "shadow economic man" document has exceeded 45 countries and regions, including a total of 287 targets.
As a result, "Pangu Lab" has given a code name for many Bvp47 homologous sample events based on the imaginary device "Telescreen" in the novel "1984" by British author George Orwell - "Telescreen" action".
Click to download the full technical report:
https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.zh-cn.pdf
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。