Chinese Group Began Using NSA Tools a Year before They Were Leaked

A Chinese cyber espionage group was using NSA tools more than a year before Shadow Brokers leaked them online, according to a recent report by Symantec.

“The Buckeye attack group, aka APT3, was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak,” Symantec researchers said. “Variants of Equation Group tools used by Buckeye appear to be different from those released by Shadow Brokers, potentially indicating a different origin.

“Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability. This zero day was reported by Symantec to Microsoft in September 2018 and patched in March 2019.

“Beginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor that was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar.

“Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers. One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec. The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools – EternalRomance and EternalSynergy – that were also released as part of the Shadow Brokers leak.”

It is unclear how the group got their hands on the tools before the Shadow Brokers leak.

You might be interested also