Details of an NSA Hacking Operation

Pangu Lab in China just published a report of a hacking operation by the Equation Group (aka the NSA). It noticed the hack in 2013, and was able to map it with Equation Group tools published by the Shadow Brokers (aka some Russian group).

…the scope of victims exceeded 287 targets in 45 countries, including Russia, Japan, Spain, Germany, Italy, etc. The attack lasted for over 10 years. Moreover, one victim in Japan is used as a jump server for further attack.

News article.

Posted on March 3, 2022 at 6:32 AM21 Comments


Andy March 3, 2022 7:59 AM

Notice the irony:

Pangu Lab has a code named “Operation Telescreen” for several Bvp47 incidents. Telescreen is a device imagined by British writer George Orwell in his novel “1984”. It can be used to remotely monitor the person or organization deploying the telescreen, and the “thought police” can arbitrarily monitor the information and behavior of any telescreen.

Ted March 3, 2022 9:38 AM

The report has a table that supposedly lists Bvp47 backdoor victims that were identified from the 2017 Shadow Broker leak. China tops the count with 64 records. Granted ‘Taiwan, China’ is 15 of those. Russia only has 11.

The cover of the report is an interesting choice, as it seems to represent kinetic activity more than cyber. “Peoples is no liking” this possibility I guess.

Who? March 3, 2022 9:47 AM

@ Ted

An unredacted listing is available from the original Shadow Brokers leak; it seems there is a huge amount of universities being targeted by the NSA around the world. It does not make a lot of sense if they are looking for terrorist activity.

M@ March 3, 2022 10:35 AM


The values of subverting academic networks are manifold, in no small part because “everyone does it” so keeping an eye on who else is subverting them and how is… academic.

TimH March 3, 2022 10:37 AM

@Who? The threat that govs are trying to anticipate are people who will be a threat to the status quo. It’s as much the next MLK as the next OBL. Effective intellectual threats usually go to university.

Mr. Peed Off March 3, 2022 10:53 AM

@ Who?

it seems there is a huge amount of universities being targeted by the NSA around the world. It does not make a lot of sense if they are looking for terrorist activity.

What is the age of the average “terrorist”? They might also be looking for promising recruits.

Denton Scratch March 3, 2022 11:39 AM

A possible explanation for the targeting of universities is that they tend to be rather vulnerable. Students enjoy trying to hack around firewalls, and academics resent any attempt to police the computers and networks they want to use.

The students are the cash-cow, and the academics are gods; but university sysadmins are the dirt on your shoe. A high-profile university sysadmin can look forward to a short career – better to try to be inconspicuous.

Ted March 3, 2022 11:52 AM


There were multiple universities and labs associated with the Manhattan Project. So among other things, intelligence services might try to keep tabs on R&D projects.

However, every intelligence service could have different targets or objectives. Putin had a brief KGB assignment at Leningrad State University:

So he accepted a job as the assistant to the rector for international affairs at his old university, a KGB position intended to keep an eye on students and visitors. At last, he would be “undercover,” though the true identity of officials in posts like that was, by intention, a poorly kept secret.

TimH March 3, 2022 1:31 PM

Not just the universities being targeted…

Under Title 10 (U.S.C., Sec. 503c), high schools must provide military recruiters access to high school students’ names, addresses, and telephone listings and the same access to high school students as is provided to colleges, or to prospective employers of those students. This is called “directory information”. Directory information may include information such as the student’s name, address, telephone listing, electronic mail address, photograph, date and place of birth, major field of study, grade level, enrollment status, dates of attendance, participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors, and awards received and the most recent educational institution attended.

Parents can opt out their kids out… but a kid can’t until 18 years old.

JonKnowsNothing March 3, 2022 2:53 PM

@ TimH

re: Not just the universities being targeted… Under Title 10 (U.S.C., Sec. 503c), high schools

US Recruiters can gain access to middle schools with their “pretend war” Junior ROTC programs.

There was a short time after Vietnam War when military recruiters were barred from schools and universities.

Then… the military-industrial-folks decided they couldn’t get enough cannon fodder using the standard tactics of harvesting their bodies from low-income areas where folks had few skills, little access to a good education or good jobs.

It’s easier to under-educated folks to sign up if it means marks can get “school money” provided they live long enough, with few enough disabilities to collect it.

Currently the body bounty runs up to $50,000 USD. Most bodies won’t see a fraction of that or negotiate for it.

iirc(not badly) I remember the first time I saw Military Recruiters on my University Campus after they had been banished. It was like looking at Godzilla-Groundhog Day. They were all grins, over all the raw meat.

Current tech skills that are desirable: playing FPS (first person shooter) games. Fast eye and hand (finger) responses. Possibly years of combat simulation training.

JonKnowsNothing March 3, 2022 3:12 PM

@ TimH @All

re: opt out

iirc(badly) RL tl;dr

Any body(M) of age in the USA is required to register. Most folks think that is for US Citizens but it’s not. It’s ANYBODY. If you are a tourist or student or traveling inside the USA and you are cannon fodder you have to register.

A friend from EU was visiting USA for the summer. They had to register. They got “selected” and “forced recruited” into the US Army. The person was posted to Germany as a listening-translator.

The US has few requirements as to how the Military treats the personnel but one is R&R (rest and recuperation). The rules change depending on war-requirements but at that time is was 1x per year.

Year 1 – R&R denied. Year 2 R&R denied. When year 3 came round, there was going to be a blow up over the conditions of enlistment. It was common knowledge that the friend was going to Bolt-For-Home as soon as he was let off the base.

A meeting happened. The type that never gets recorded. All sorts of interesting exchanges took place. The Offer: Instant US Citizenship. If he accepted he would be obligated to return.

He took the deal …

But only after the Military had provided and completed and stamped, signed, and delivered all the paperwork.

Things are not so generous nowadays.

In the UK and USA they accept non-citizens as members of the military and as in some periods in Roman Times, promise citizenship on completion of service.

The Military regularly forgets that promise, omits the paperwork, decides the deadline for application (which is not given specified) has expired.

It can be hazardous for some to bring their Families to Visit Disneyland.

Clive Robinson March 3, 2022 4:18 PM

@ Who?, Mr. Peed Off, ALL,

it seems there is a huge amount of universities being targeted by the NSA around the world. It does not make a lot of sense if they are looking for terrorist activity.

Remember the NSA targeted a Beligium Telco, in arder to get at Crypto Researchers.

The US spew a lot of nonsense about how they do not do “Industrial Espionage”, the cat climbed out the bag on that long before Ed Snowdens revelations provided a heap load more dots to join up.

At least the French were more honest about it with the head of their security services years ago say that spying was less expensive and more effective than R&D.

Thr hard part of indistrial espionage, has not been getting the information, that is almost trivially easy. No the hard part is covering up the fact you have not just stolen it but given it to others to use.

In effect the only easy way to do it is to give it to companies that already run “secret projects” so it just becomes one of many, thus “hides in the noise”.

But it also gives the agencies a way to pay people without having to give them money.

Not only does the company benift greatly, so do those who buy the company stock at an oportune time. Which would be a little while after they’ve had a chance to progress the information from the idustrial espionage, to the point that when the news gets out the share price will jump up as actual investors not share price manipulators climb on.

This jas been mentioned on this blog before.

The Joirnalist Duncan Campbell developed his own piece of technology to detect people tapping his telephone line, using the principles of Time Domain Reflectometery”(TDR). MI5 stole his design and got Marconi to make them for the UK security services… And the security services wondered why Duncan Campbell took a significant dislike to them, dug out their dirty laundry and aired it to the world via the EU Parliment (his report on Echelon being the one most remember).

These Governmental dirt bags, and that’s what they realy are claim that the rules do not apply to them because they are somehow “exceptional” and “have the moral high ground” and are “doong it for the common good”… I should not need to say that it’s a great big pile of bovine scat, and that it’s the same old “Divine Right” nonsense of the “King Game” which is “Might is right” and the guard labour will beat you into submission or worse “because…”.

vas pup March 3, 2022 4:28 PM

@Andy • March 3, 2022 7:59 AM

Yes, agree with you. Orwell wrote ‘1984’ as warning, but ‘collective O’Brien’ is using it as manual 🙁

@TimH • March 3, 2022 1:31 PM
The problem is looks like they are not using this information to really select best brains and skills and create for them
perfect condition for fast path development and mental growth in the critical fields of National Security and Defense. E.g. N Korea (yes, bad on human rights and so called democracy) is doing such thing clearly understanding that the main treasure of any country, organization, you name it is not natural resources (see Japan and example), not number of nuclear bombs (see Israel and S Korea as example) are brains and skills of their folks to create something new rather than those could only repeat as perrots some BS without even analyzing it by own head.

Clive Robinson March 3, 2022 4:48 PM

@ JonKnowsNothing,

It can be hazardous for some to bring their Families to Visit Disneyland.

If what I was once told was true, whilst thete is a lower age limit, there is no uper age limit.

So even Grand Pa could find himself drafted if he had “desirable skills” and that is what it is all about.

1, Youngsters as cannon fodder.
2, Those with skills that the USG has not paid for.

I think that Covid and the various “war acts” getting the dust blown off of them has woken more than one or two people up recently, and other events prior to that this century.

Oh and remember even if you live abroad, have never been to the US and don’t ever want to go to the US, and certainly have never made your way to the US for any reason, it does not stop this sort of thing… Like Israel the US take a “universal jurisdiction” view point and rendition is as the US has repeatedly shown, not that expensive, has minimal paperwork and most other nations just look the other way whilst they let you get thrown under the bus… Oh and if a government does get in the way, a few million in “bribes” usually resolves that.

ResearcherZero March 3, 2022 7:55 PM

@Clive Robinson

Via Belgacom International Carrier Services they could access many places.

GCHQ severely compromised Belgacom’s systems and could intercept encrypted and unencrypted private data passing through its networks.

Once administration of mobile telephone base station controllers can be accessed, and administrative credentials, then the GSM network could be manipulated.

Universities were host to B boards, and all kinds of people are watching, manipulating etc. A lot of spy activity goes on in places like that. It’s where all the young lawyers and wayward sons of political parties start out.

ResearcherZero March 3, 2022 8:19 PM

@Clive Robinson

To expand on that, there are people who were compromised in university around 30 years ago who have made recent headlines. Some mislead, some coerced, some recruited. Many operations have been reactive to prior targeting, compromise or infiltration of networks, companies and universities. Often another actor already had a well established presence.

ResearcherZero March 3, 2022 8:35 PM

…That other actor being Russia, which has had a much larger espionage footprint than is publicly known.

JonKnowsNothing March 3, 2022 8:42 PM


re: Grandpa Recruit

iirc(badly) a War Historian said (paraphrased)

The process of turning a civilian into a soldier is not dependent on age. Any age will do.

The primary difference in age groups, is the Military cannot convince a 40yo that they are having a “fun time” in the process.

ResearcherZero March 3, 2022 8:55 PM

The legend where Regin comes from is about the terrible effects of greed.

Fáfnir, is the son of the dwarf king Hreidmar and brother of Regin. After being affected by the curse of Andvari’s ring and gold, he becomes a dragon.

“Fáfnir breathed poison into the land around him so no one would go near him and his treasure, wreaking terror in the hearts of the people.”

Clive Robinson March 5, 2022 3:13 AM

@ ResearcherZero, ALL,

With regards “Regin”

A first “obvious” guess based on targets identified,

1, A Five-Eye SigInt agency.
2, Likely UK or possibly US.

But as the article notes “false flag” is highly likely…

As I’ve long said “attribution is hard, very hard” and it’s easy to be misled.

False flag games are easy to play when you’ve got sufficient of other entities attack and resident tools to use directly or as templates.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.