Chinese hackers using NSA exploits a year prior to leak

A Chinese hacking group was using elements from the leaked trove of NSA cyber-attack tools at least a year before the tools were leaked by the Shadow Brokers in April, Symantec has discovered.

The group, which is variously known as Buckeye, APT3 and Gothic Panda, was using a variant of the DoublePulsar backdoor — which was released by the Shadow Brokers in 2017 — at least as early as March 2016.

The vulnerability, and the associated Bemstour exploit tool and two zero day Windows vulnerabilities, were exploited to carry out attacks on Belgium, Hong Kong, Luxembourg, Hong Kong, the Philippines and Vietnam, Symantec said.

The attacks targeted victims in the telecommunications, science and technology, and education sectors, and appear to have the motive of information theft.

While the Shadow Brokers started releasing the tools it claimed to have originated from sophisticated hacking group Equation Group in August 2016, the DoublePulsar backdoor was not released until the final large cache of tools was leaked in April 2017.

But the variant that had been put to use by Buckeye is different to the version leaked by the Shadow Brokers — it appears to be a newer version as it has been updated to support later versions of Windows.

The Buckeye attacks also never used the FuzzBunch framework, which was designed to manage DoublePulsar and other tools from the leaked trove.

It is therefore unclear how Buckeye managed to gain access to the tools early, and it is possible that the group was only able to gain access to a limited portion of the arsenal.

According to Symantec, one possibility is that Buckeye reverse engineered the tools based on observing an Equation Group attack. Other less likely scenarios include Buckeye gaining access to a poorly secured Equation Group survey or a leak of the tools by a rogue member of the group.

While Buckeye disappeared in mid-2017 and three alleged members of the group were indicted in the US late that year, activity involving the DoublePulsar variant used by Buckeye continued until at least September 2018.

Symantec said this indicates that either Buckeye went underground by abandoning all tools publicly associated with the group or that it passed on some of its tools to another group.

Image credit: ©stock.adobe.com/au/monsitj

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.