Security News > 2022 > February > Anatomy of suspected top-tier decade-hidden NSA backdoor

Pangu Lab has identified what it claims is a sophisticated backdoor that was used by the NSA to subvert highly targeted Linux systems around the world for more than a decade.

The China-based computer-security outfit says it first spotted the backdoor code, or advanced persistent threat, in 2013 when conducting a forensic investigation on a host in "a key domestic department" - presumably a Chinese company or government agency.

To us it seems whoever created the code would compromise or infect a selected Linux system and then install the backdoor on it.

Team Pangu called it Bvp47 because "Bvp" is the most common string in the sample code and the numerical value 0x47 is used in the encryption algorithm.

In its technical analysis [PDF], Pangu Labs says, "The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process."

The code conducts tests of its environment and deletes itself if it doesn't like what it sees.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/23/chinese_nsa_linux/