Chinese APT used US hacking tools a year before Russian leaked them online

News by Rene Millman

NSA tools were in use by the Buckeye group well before Shadow Brokers leaked them, research claims

A Chinese hacking group were using NSA-developed hacking tools more than a year before the Shadow Brokers leak in April 2017, it is claimed.

According to research carried out by Symantec, the Buckeye attack group (also known as APT3 or Gothic Panda) began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak.

It said that variants of Equation Group tools used by Buckeye appear to be different from those released by Shadow Brokers, potentially indicating that they didn't originate from that leak.

Researchers found that a variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers.

"It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware. It also includes an additional layer of obfuscation," said researchers.

It was noted that these hackers never used the FuzzBunch framework in its attacks. FuzzBunch is a framework designed to manage DoublePulsar and other Equation Group tools and was leaked by the Shadow Brokers in 2017. "This suggests that Buckeye only managed to gain access to a limited number of Equation Group tools," researchers said.

Researchers said that the Chinese did not steal the tools directly from the NSA. Rather, Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack.

They added that mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance. Another theory is that Buckeye obtained tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye.

"It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group. However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group," said researchers.

Jake Moore, security specialist at ESET, told SC Media UK that attackers will always learn from security companies publishing findings but it is better to make people aware of current attack vectors and vulnerabilities to help thwart such attacks.

"Cyber-criminals are very good at adapting and being one step ahead of law enforcement and security vendors. However, cyber-warfare is one where we need to tread carefully," he said.

"Unknown unknowns are a huge headache for security professionals but it is made even more frustrating when American intelligence agencies have repeatedly had their hacking tools and highly classified cybersecurity details fall into the wrong hands including criminal groups."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop