Chinese Hacking Group Used Stolen NSA Hacking Tools Ahead of Shadow Brokers’ Leaks

Security Ledger, May 9, 2019, with comments by Ray DeMeo

NSA Hacking tools Stolen in 2016 Were Leaked into the Wild in 2016 and 2017

In August of 2016, the mysterious group called The Shadow Brokers released its first round of stolen NSA hacking tools into the wild. They reportedly stole these prized hacking tools from the Equation Group, the NSA’s own private hacking group.

Soon after the official Shadow Broker leaks in April 2017, the stolen hacking tools (DoublePulsar, EternalBlue, EternalRomance), were used to carry out two of the world’s most destructive cyberattacks to date – WannaCry and NotPetya.

The Shadow Broker theft of the Equation Group hacking tools was an extraordinary feat, but even more stunning is it may not have been the first time the hacking tools were stolen from the NSA.

Chinese state-sponsored group – 'Buckeye' – used hacking tools before Shadow Broker leaks

Researchers have found evidence that a Chinese state-sponsored hacking group was using stolen NSA hacking tools (DoublePulsar, etc.), as well as variants of these hacking tools, such as APT3 and Gotchic Panda, up to a year before the Shadow Broker leaks.

This raises questions about whether there could have been another NSA hack before the Shadow Brokers, about which the NSA has already faced difficult questions over how their security could have been breached so drastically – possibly twice. The theft of these hacking tools – arguably among its most valuable assets ever - is possibly the most regrettable and damaging events in their history, both to its own reputation as well as to the security of organizations worldwide.

Research firms have agreed that the Chinese-sponsored threat actors is a Chinese Ministry of State Security contractor operating out of Guangzhou. Buckeye is the nickname Symantec has given this group, and another is APT3, for Advanced Persistent Threat 3.

Buckeye carried out their attacks with stolen NSA hacking tools in 2016 and also variants of those hacking tools. The origin of these variant hacking tools is uncertain. In March 2016, it appears Buckeye began using the DoublePulsar tool with a Trojan exploit tool, Bemstour, to target computers in Hong Kong. Bemstour achieves remote kernel code execution by exploiting two Windows vulnerabilities:

1) CVE-2019-0703 - a zero-day vulnerability discovered by Symantec
2) CVE-2017-0143 – uses EternalRomance and EternalSynergy, two exploit hacking tools released by the Shadow Brokers.

Microsoft patched the exploit in March 2017 after Symantec found the leak.

How did the Buckeye Threat Actors get the Equation Group’s hacking tools?

While Buckeye used the hacking tools in 2016, researchers don’t believe they are responsible for stealing them. Researchers believe they took the hacking tools and repurposed them for their own use. Even though the Buckeye threat actors seem to have disappeared in 2017, the variant hacking tools are still being used.

Researchers wrote, “Based on the timing of the attacks and the features of the hacking tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the hacking tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack.”

Ray DeMeo, Co-founder and COO of Virsec, told Security Ledger:
“The idea of stockpiling cyberweapons is problematic. Unlike conventional weapons, most cyber weapons exploit long-dormant vulnerabilities in widely used applications and platforms like Microsoft Windows. Keeping a widespread vulnerability secret and hoping that no other players discover it is inherently dangerous. Plus, if using a new cyber weapon allows your adversary to grab it, improve upon it, and turn it against you then we should be thinking a lot more about defense, rather than risky offensive moves.

"However these hacking tools got out there, we’ve now entered a new level in the cyber arms race where hacking tools like Double Pulsar and Eternal Synergy exploit a blind spot in cybersecurity, attacking applications during runtime at the memory level. It’s imperative that we deploy new defenses against these fileless attack that easily bypass conventional security.”

Read full Chinese APT Group Used Stolen NSA Hacking Tools Before Shadow Brokers article.

Further resources:

White paper: How The Shadow Brokers Have Permanently Changed The Cybersecurity Landscape

Newsletter: Latest issue

Web Application Security: Product page

Blog: Prediction Series #9: Hackers continue spending weeks & months of dwell time in networks

Sources: tools-before-shadow-brokers/