Chinese hackers using NSA exploits a year prior to leak


By Dylan Bushell-Embling
Thursday, 09 May, 2019

Chinese hackers using NSA exploits a year prior to leak

A Chinese hacking group was using elements from the leaked trove of NSA cyber-attack tools at least a year before the tools were leaked by the Shadow Brokers in April, Symantec has discovered.

The group, which is variously known as Buckeye, APT3 and Gothic Panda, was using a variant of the DoublePulsar backdoor — which was released by the Shadow Brokers in 2017 — at least as early as March 2016.

The vulnerability, and the associated Bemstour exploit tool and two zero day Windows vulnerabilities, were exploited to carry out attacks on Belgium, Hong Kong, Luxembourg, Hong Kong, the Philippines and Vietnam, Symantec said.

The attacks targeted victims in the telecommunications, science and technology, and education sectors, and appear to have the motive of information theft.

While the Shadow Brokers started releasing the tools it claimed to have originated from sophisticated hacking group Equation Group in August 2016, the DoublePulsar backdoor was not released until the final large cache of tools was leaked in April 2017.

But the variant that had been put to use by Buckeye is different to the version leaked by the Shadow Brokers — it appears to be a newer version as it has been updated to support later versions of Windows.

The Buckeye attacks also never used the FuzzBunch framework, which was designed to manage DoublePulsar and other tools from the leaked trove.

It is therefore unclear how Buckeye managed to gain access to the tools early, and it is possible that the group was only able to gain access to a limited portion of the arsenal.

According to Symantec, one possibility is that Buckeye reverse engineered the tools based on observing an Equation Group attack. Other less likely scenarios include Buckeye gaining access to a poorly secured Equation Group survey or a leak of the tools by a rogue member of the group.

While Buckeye disappeared in mid-2017 and three alleged members of the group were indicted in the US late that year, activity involving the DoublePulsar variant used by Buckeye continued until at least September 2018.

Symantec said this indicates that either Buckeye went underground by abandoning all tools publicly associated with the group or that it passed on some of its tools to another group.

Image credit: ©stock.adobe.com/au/monsitj

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related News

Barracuda launches backup solution for Entra ID

Barracuda's Entra ID Backup Premium solution aims to protect customers' Microsoft...

Cloudflare has changed how AI crawlers scrape the internet

Cloudflare is now protecting online IP by blocking AI crawlers by default, and offering a...

Nearly half of Australian companies opt to pay ransoms: report

A recent survey found that Australian ransom payments have decreased from 66% to 41% in the past...


  • All content Copyright © 2025 Westwick-Farrow Pty Ltd