Some of the U.S. government-linked exploit tools that were published online by the Shadow Brokers hacking group in 2016 and 2017 were actually employed by Chinese actors well before that infamous leak occurred, researchers say.

In a blog post yesterday, Symantec reported that its threat research team discovered evidence that cyber espionage actor APT3, aka Gothic Panda or Buckeye, had been using “Equation Group” hacking tools – widely attributed to the National Security Agency – since at least March 2016, several months prior to the Shadow Brokers’ first leak.

One of these tools was a backdoor named DoublePulsar that injects a secondary payload into memory, fully compromising the infected machine. But APT3’s version of DoublePulsar was actually a different variant than the one that was publicly leaked. This suggests that the Buckeye actors “may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack,” the blog post theorizes.

While Symantec didn’t entirely rule out the possibility that APT3 stole the tools from an Equation Group/NSA server or that a rogue NSA employee supplied the tools to the Chinese actors the evidence doesn’t support these theories as strongly.

APT3 delivered DoublePulsar to its victims via a custom exploit tool called Bemstour, which exploited two Windows vulnerabilities together in order to achieve remote code execution. One of these vulnerabilities, CVE-2017-0143, is a message type confusion error that was also abused by two leaked Equation Group exploit tools, EternalRomance and EternalSynergy. Microsoft patched this flaw shortly after the Shadow Brokers incident.

This second flaw, CVE-2019-0703, actually remained an undiscovered zero-day until Symantec uncovered it last year. The Windows SMB server information disclosure vulnerability was reported in September 2018 and subsequently patched by Microsoft in March 2019.

Bemstour itself would typically be delivered one of two Buckeye backdoor’s known as Pipri and Filensfer. Symantec traced Buckeye’s first known use of Bemstour to a March 31, 2016 attack on a target in Hong Kong. A second attack against a Belgian educational institution followed one hour later. Benstour has undergone a series of evolutions since then. The most recent sample viewed by Symantec was apparently compiled on March 23, 2019, 11 days after CVE-2019-0703 was patched by Microsoft.

“The purpose of all the attacks was to acquire a persistent presence on the victim’s network, meaning information theft was the most likely motive behind the activity,” Symantec asserts.

There remains a lingering mystery that Symantec’s research hasn’t yet answered: Buckeye was thought to have dissolved by mid-2017, and yet the Bemstour exploit tool and DoublePulsar variant used by Buckeye continued to be used until at least September 2018. “It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group,” Symantec explains. “However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group.”