In a shocking revelation, it turns out that a hacking group believed to be sponsored by Chinese intelligence had been using some of the zero-day exploits linked to the NSA’s Equation Group almost a year before the mysterious Shadow Brokers group leaked them.
According to a new report published by cybersecurity firm Symantec, a Chinese-linked group, which it calls Buckeye, was using the NSA-linked hacking tools as far back as March 2016, while the Shadow Brokers dumped some of the tools on the Internet in April 2017.
Active since at least 2009, Buckeye—also known as APT3, Gothic Panda, UPS Team, and TG-0110—is responsible for a large number of espionage attacks, mainly against defence and critical organizations in the United States.
Although Symantec did not explicitly name China in its report, researchers with a high degree of confidence have previously attributed [1,2] Buckeye hacking group to an information security company, called Boyusec, who is working on behalf of the Chinese Ministry of State Security.
Symantec’s latest discovery provides the first evidence that Chinese state-sponsored hackers managed to acquire some of the hacking tools, including EternalRomance, EternalSynergy, and DoublePulsar, a year before being dumped by the Shadow Brokers, a mysterious group that’s still unidentified.
According to the researchers, the Buckeye group used its custom exploit tool, dubbed Bemstour, to deliver a variant of DoublePulsar backdoor implant to stealthily collect information and run malicious code on the targeted computers.
Benstour tool was designed to exploit two then-zero-day vulnerabilities (CVE-2019-0703 and CVE-2017-0143) in Windows to achieve remote kernel code execution on targeted computers.
Microsoft addressed the CVE-2017-0143 vulnerability in March 2017 after it was found to have been used by two NSA exploits (EternalRomance and EternalSynergy) that were leaked by the Shadow Brokers group.
The previously unknown Windows SMB Server flaw (CVE-2019-0703) was discovered and reported by Symantec to Microsoft in September 2018 and patched by the tech giant just last month.
Researchers detected BuckEye’s hackers using the combination of the SMB exploit and the DoublePulsar backdoor to target telecommunications companies, as well as scientific research and education institutions in Hong Kong, Luxembourg, Belgium, the Philippines, and Vietnam from March 2016 to August 2017.
How Chinese Hackers Grabbed NSA Hacking Tools?
While Symantec doesn’t know how the Chinese hackers got the Equation Group tools before the Shadow Brokers leak, the security firm does state there’s a possibility that Buckeye may have captured the code from an NSA attack on their own computers and then reverse-engineered the malware to develop its own version of the tools.
“Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye,” Symantec says.
Buckeye appeared to cease its operations in mid-2017, and three alleged members of the group were indicted in the United States in November 2017. However, even after that, Bemstour and DoublePulsar tools used by Buckeye continued to be used until late 2018 in conjunction with different malware.
Although it is unknown who continued to use the tools, the researchers believe that the Buckeye group may have passed some of its tools to another group or “continued operating longer than supposed.”
After the Shadow Brokers leak, the NSA-linked exploit tools were then used by North Korean hackers and Russian intelligence, although the Symantec report suggests no apparent connection between the Buckeye acquisition of tools and the Shadow Brokers leak.