Threat Management, Threat Management, Threat Intelligence, Malware

Researchers: Chinese APT group used stolen NSA tools prior to Shadow Brokers leak


Some of the U.S. government-linked exploit tools that were published online by the Shadow Brokers hacking group in 2016 and 2017 were actually employed by Chinese actors well before that infamous leak occurred, researchers say.

In a blog post yesterday, Symantec reported that its threat research team discovered evidence that cyber espionage actor APT3, aka Gothic Panda or Buckeye, had been using "Equation Group" hacking tools – widely attributed to the National Security Agency – since at least March 2016, several months prior to the Shadow Brokers' first leak.

One of these tools was a backdoor named DoublePulsar that injects a secondary payload into memory, fully compromising the infected machine. But APT3's version of DoublePulsar was actually a different variant than the one that was publicly leaked. This suggests that the Buckeye actors "may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack," the blog post theorizes.

While Symantec didn't entirely rule out the possibility that APT3 stole the tools from an Equation Group/NSA server or that a rogue NSA employee supplied the tools to the Chinese actors the evidence doesn't support these theories as strongly.

APT3 delivered DoublePulsar to its victims via a custom exploit tool called Bemstour, which exploited two Windows vulnerabilities together in order to achieve remote code execution. One of these vulnerabilities, CVE-2017-0143, is a message type confusion error that was also abused by two leaked Equation Group exploit tools, EternalRomance and EternalSynergy. Microsoft patched this flaw shortly after the Shadow Brokers incident.

This second flaw, CVE-2019-0703, actually remained an undiscovered zero-day until Symantec uncovered it last year. The Windows SMB server information disclosure vulnerability was reported in September 2018 and subsequently patched by Microsoft in March 2019.

Bemstour itself would typically be delivered one of two Buckeye backdoor's known as Pipri and Filensfer. Symantec traced Buckeye's first known use of Bemstour to a March 31, 2016 attack on a target in Hong Kong. A second attack against a Belgian educational institution followed one hour later. Benstour has undergone a series of evolutions since then. The most recent sample viewed by Symantec was apparently compiled on March 23, 2019, 11 days after CVE-2019-0703 was patched by Microsoft.

"The purpose of all the attacks was to acquire a persistent presence on the victim's network, meaning information theft was the most likely motive behind the activity," Symantec asserts.

There remains a lingering mystery that Symantec's research hasn't yet answered: Buckeye was thought to have dissolved by mid-2017, and yet the Bemstour exploit tool and DoublePulsar variant used by Buckeye continued to be used until at least September 2018. "It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group," Symantec explains. "However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.