A Chinese cyber espionage group was using NSA tools more than a year before Shadow Brokers leaked them online, according to a recent report by Symantec.
“The Buckeye attack group, aka APT3, was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak,” Symantec researchers said. “Variants of Equation Group tools used by Buckeye appear to be different from those released by Shadow Brokers, potentially indicating a different origin.
“Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability. This zero day was reported by Symantec to Microsoft in September 2018 and patched in March 2019.
“Beginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor that was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar.
“Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers. One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec. The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools – EternalRomance and EternalSynergy – that were also released as part of the Shadow Brokers leak.”
It is unclear how the group got their hands on the tools before the Shadow Brokers leak.