Chinese hackers used 'stolen' NSA tools a year before they were leaked by the Shadow Brokers

Evidence shows 'Buckeye' was using Bemstour and DoublePulsar tools as early as March 2016

Fingerprint on a Chinese key on a keyboard to denote cyber crime

Chinese hackers may have captured NSA-linked hacking tools to launch a series of devastating attacks against the US and its allies a year before these were infamously leaked by the Shadow Brokers.

The Buckeye group was previously thought to have launched attacks using a set of hacking tools developed by the NSA-linked Equation Group; stolen and leaked by a third collective known as the Shadow Brokers.

The Equation Group, widely thought to be linked to the NSA and considered among the most technically-sophisticated active groups, sustained an attack in 2016 in which a collection of its cyber weapons were stolen.

Shadow Brokers claimed responsibility for the 2016 hack and began to leak these tools in drips and drabs, before releasing a full and final cache the following year.

But evidence collected by Symantec shows a group known as Buckeye had been using these tools more than a year before the infamous Shadow Brokers leak, suggesting the Chinese group may have captured and repurposed the tools independently.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The first occasion on which these tools were identified came as early as 31 March 2016, according to the cyber security firm, during an attack on a target in Hong Kong.

Based on the code and the timing of the attacks, researchers have theorised that Buckeye hackers may have intercepted an active Equation Group attack and captured the tools, before designing their own versions.

"One possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack," the researchers said.

"Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye."

The evidence collected centres around two tools used in attacks by Buckeye known as Bemstour and DoublePulsar.

Advertisement - Article continues below

Bemstour exploits two Windows vulnerabilities together to achieve remote kernel code execution on targeted machines. This is used to install DoublePulsar, a backdoor, which subsequently launches a second payload. Notably, Buckeye's version of DoublePulsar was different from that leaked by the Shadow Brokers.

Buckeye disappeared in mid-2017, according to Symantec, and three alleged members were indicted in the US several months later.

But the Bemstour exploit as well as the specific DoublePulsar variant continued to be used until at least September 2018.

"Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance," the researchers continued.

"It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group.

"However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/28170/what-is-cyber-warfare
Security

What is cyber warfare?

20 Sep 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/network-internet/web-browser/354614/microsoft-developer-declares-its-time-to-ditch-ie-for-edge
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020