Chinese Cybersecurity Company Doxes Apparent NSA Hacking Operation

A Chinese security firm released a detailed report about what it says is malware created by Equation Group, a hacking group widely believed to be the NSA.
Image: Brooks Kraft LLC/Corbis via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

A Chinese cybersecurity company accused the NSA of being behind a hacking tool used for ten years in a report published on Wednesday

The report from Pangu Lab delves into malware that its researchers first encountered in 2013 during an investigation into a hack against “a key domestic department.” At the time, the researchers couldn’t figure out who was behind the hack, but then, thanks to leaked NSA data about the hacking group Equation Group—widely believed to be the NSA—released by the mysterious group Shadow Brokers and by the German magazine Der Spiegel, they connected the dots and realized it was made by the NSA, according to the report. 


“The Equation Group is the world's leading cyber-attack group and is generally believed to be affiliated with the National Security Agency of the United States. Judging from the attack tools related to the organization, including Bvp47, Equation group is indeed a first-class hacking group,” the report read, referring to the name of the tool the researchers found. “The tool is well-designed, powerful, and widely adapted. Its network attack capability equipped by 0day vulnerabilities was unstoppable, and its data acquisition under covert control was with little effort. The Equation Group is in a dominant position in national-level cyberspace confrontation.” 

Do you have more information about this case? Or similar cases of government hacking? We’d love to hear from you. From a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email

Pangu Lab could not be reached for comment. 

This is not the first time a Chinese cybersecurity company published research on an alleged American intelligence hacking operation. But it’s “pretty rare,” as Adam Segal, an expert in China’s cybersecurity at the Council on Foreign Relations, put it in an email to Motherboard.

“I don't know who Pangu's customers are, but it might also be something their customers want to hear right now, just like lots of Western cybersecurity companies post about Russian malware, because everyone in the West wants to hear about it right now,” Martijn Grooten, a veteran of the cybersecurity industry, told Motherboard in an online chat. “It also sounds like something the NSA would have the capabilities of doing. And something China would love to make public, especially now.”


This report may be a sign that Chinese cybersecurity companies are starting to follow the example of their Western counterparts and do more attribution. It could be “a shifting strategy to become more name and shame as the US government has employed,” Robert Lee, a former NSA analyst and founder of cybersecurity company Dragos, told Motherboard in an online chat. 

 For Richard Bejtlich, another veteran of the cybersecurity industry and author in residence at security firm Corelight, it’s a good thing that Chinese companies, and presumably China’s government, are improving their attribution capabilities, as “it will increase overall geopolitical stability,” as he tweeted.

“It is an inherently unstable situation to have parties lacking visibility into adversary activity. It breeds paranoia and in many cases an incentive to strike first. When you have insights into your adversary you can make more informed decisions,” Bejtlich told Motherboard in an online chat. “ When you lack them you are constantly worrying about being attacked, or already attacked, etc., and you can't be sure who is responsible. It's a classic intelligence situation. That's why spies on both sides are counterintuitively important.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.