Chinese hackers used 'stolen' NSA tools a year before they were leaked by the Shadow Brokers

Evidence shows 'Buckeye' was using Bemstour and DoublePulsar tools as early as March 2016

Fingerprint on a Chinese key on a keyboard to denote cyber crime

Chinese hackers may have captured NSA-linked hacking tools to launch a series of devastating attacks against the US and its allies a year before these were infamously leaked by the Shadow Brokers.

The Buckeye group was previously thought to have launched attacks using a set of hacking tools developed by the NSA-linked Equation Group; stolen and leaked by a third collective known as the Shadow Brokers.

The Equation Group, widely thought to be linked to the NSA and considered among the most technically-sophisticated active groups, sustained an attack in 2016 in which a collection of its cyber weapons were stolen.

Shadow Brokers claimed responsibility for the 2016 hack and began to leak these tools in drips and drabs, before releasing a full and final cache the following year.

But evidence collected by Symantec shows a group known as Buckeye had been using these tools more than a year before the infamous Shadow Brokers leak, suggesting the Chinese group may have captured and repurposed the tools independently.

The first occasion on which these tools were identified came as early as 31 March 2016, according to the cyber security firm, during an attack on a target in Hong Kong.

Based on the code and the timing of the attacks, researchers have theorised that Buckeye hackers may have intercepted an active Equation Group attack and captured the tools, before designing their own versions.

"One possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack," the researchers said.

"Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye."

The evidence collected centres around two tools used in attacks by Buckeye known as Bemstour and DoublePulsar.

Bemstour exploits two Windows vulnerabilities together to achieve remote kernel code execution on targeted machines. This is used to install DoublePulsar, a backdoor, which subsequently launches a second payload. Notably, Buckeye's version of DoublePulsar was different from that leaked by the Shadow Brokers.

Buckeye disappeared in mid-2017, according to Symantec, and three alleged members were indicted in the US several months later.

But the Bemstour exploit as well as the specific DoublePulsar variant continued to be used until at least September 2018.

"Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance," the researchers continued.

"It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group.

"However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group."

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

14 Sep 2020
'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020