Exclusive: Evidence of US monitoring 45 countries, regions exposed by Chinese cybersecurity experts for the 1st time
Published: Feb 23, 2022 02:08 PM Updated: Feb 23, 2022 11:54 PM
Cyber security. Photo: IC

Cyber security. Photo: IC

An elite hacking group under the US National Security Agency (NSA) was found to have been creating an advanced and covert backdoor which has been used to monitor 45 countries and regions for over a decade, the Global Times learned from a Beijing-based cybersecurity lab exclusively on Wednesday.

Experts from Qi An Pangu lab said on Wednesday they have declassified the full technical details and organizational links of "Telescreen" (Bvp47), a top-of-the-line backdoor created by Equation - an elite hacking group affiliated with the NSA. 

This is the first time that Chinese cybersecurity experts have publicly exposed the complete chain of technical evidence about the advanced persistent threat (APT) attack launched by Equation. 

Experts from the lab told the Global Times that the "Telescreen" has been raging around the world for more than a decade, infiltrating 45 countries and regions including China, Russia, Japan, Germany, Spain and Italy, and involving 287 important institutional targets. Japan, though a victim itself, has also been used as a springboard to launch attacks on targets in other countries and regions.

PRISM scandal link

A backdoor is one type of APT attacks in cyberspace. It refers to a way to bypass security controls to gain access to the network system, similar to a cyber virus. 

According to a report released by the Qi An Pangu lab, in 2013, researchers from the lab extracted a suspected backdoor by complex encryption during their investigation into a victim computer host in China. After successfully breaking the backdoor program, researchers identified it as a top backdoor program used for APT attacks. 

However, further investigation was impeded as it requested a private key to activate the remote control function of the backdoor.

In 2016, the Shadow Brokers, a well-known hacking group, claimed to have hacked into Equation and it released a large number of the organization's hacking tools and data in two years. 

Researchers from Pangu lab then found files suspected to contain private keys from the files published by Shadow Brokers, which happened to be the only asymmetric encryption private key that could activate the backdoor, and further directly control the backdoor remotely. 

"It can be concluded that Bvp47 is a hacking tool belonging to Equation," the lab report said. 

Through a further probe, researchers found that multiple programs and attack manuals disclosed by Shadow Brokers matched the unique identifiers used in the operating manuals of the NSA's cyberattack platform, which were exposed by former CIA analyst Edward Snowden in the 2013 PRISM scandal.

Given that the US government has charged Snowden with three counts of "unauthorized communication of national defense information and willful communication of classified intelligence," it is clear that the documents released by Shadow Brokers are NSA documents. This is sufficient evidence that Equation is part of the NSA, and that Bvp47 is the NSA's top backdoor, the report said.

Researchers at the lab gave Bvp47 a code name, Telescreen Operation. A telescreen is a device imagined by British writer George Orwell in his novel 1984, which can be used to remotely monitor people or organizations, and grasp the information at the hackers' will. 

Good at hiding, hard to track

"Backdoors allow hackers to peer into an organization's internal network, almost as if they had installed a telescreen in the targets' houses and kept all secrets in their hands,"  Han Zhengguang, founder of Pangu lab, told the Global Times on Wednesday.

According to Han, compared with APT attacks, the Telescreen Operation features high technical complexity, architecture flexibility and high strength of analysis and forensics countermeasures, which allow hackers to obtain data and information very easily. 

Analysis finds that the Telescreen Operation backdoor could allow hackers to attack operation systems including Linux, AIX, Solaris and SUN, and the backdoor has been active for over 10 years. 

"The 'best' thing about this backdoor is that it's extremely hidden and good at self-destructing. Before the victim is aware of the danger, the information is leaked, and it's hard to trace after that," Han said.

According to Han, the backdoor has been deployed in at least 64 targets covering basic core data departments of communication, top universities and military-related departments in China. 

"The backdoor has also attacked 287 goals in more than 45 countries and regions, including Russia, Japan, Spain, Germany, and Italy. Japan, as a victim, was also used as a springboard to attack other countries, covering their prestigious universities, research institutions, communications companies and government departments," Han said.

For a long time, there have been voices supporting the West to portray the Chinese government and military as hackers. Chinese cybersecurity experts pointed out that these false allegations have political motives - hype China's so-called cyber threat and stigmatizing China to conceal the fact that the US itself, the main implementer of the PRISM program, is the world's largest cyberattacker, secrets stealer and the veritable "matrix," like in the movies.

The Telescreen Operation is not US' first large-scale cyberattack, nor will be its last. The global APT attacks are increasingly frequent with a wider range of targets, causing greater harm and being more concealed, and China is one of the largest victims, Han said. 

Experts also called on governments and industrial chains around the world to work together to effectively deal with threats and safeguard cybersecurity.