Chinese hackers used 'stolen' NSA tools a year before they were leaked by the Shadow Brokers

Evidence shows 'Buckeye' was using Bemstour and DoublePulsar tools as early as March 2016

Fingerprint on a Chinese key on a keyboard to denote cyber crime

Chinese hackers may have captured NSA-linked hacking tools to launch a series of devastating attacks against the US and its allies a year before these were infamously leaked by the Shadow Brokers.

The Buckeye group was previously thought to have launched attacks using a set of hacking tools developed by the NSA-linked Equation Group; stolen and leaked by a third collective known as the Shadow Brokers.

The Equation Group, widely thought to be linked to the NSA and considered among the most technically-sophisticated active groups, sustained an attack in 2016 in which a collection of its cyber weapons were stolen.

Shadow Brokers claimed responsibility for the 2016 hack and began to leak these tools in drips and drabs, before releasing a full and final cache the following year.

But evidence collected by Symantec shows a group known as Buckeye had been using these tools more than a year before the infamous Shadow Brokers leak, suggesting the Chinese group may have captured and repurposed the tools independently.

The first occasion on which these tools were identified came as early as 31 March 2016, according to the cyber security firm, during an attack on a target in Hong Kong.

Based on the code and the timing of the attacks, researchers have theorised that Buckeye hackers may have intercepted an active Equation Group attack and captured the tools, before designing their own versions.

"One possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack," the researchers said.

"Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye."

The evidence collected centres around two tools used in attacks by Buckeye known as Bemstour and DoublePulsar.

Bemstour exploits two Windows vulnerabilities together to achieve remote kernel code execution on targeted machines. This is used to install DoublePulsar, a backdoor, which subsequently launches a second payload. Notably, Buckeye's version of DoublePulsar was different from that leaked by the Shadow Brokers.

Buckeye disappeared in mid-2017, according to Symantec, and three alleged members were indicted in the US several months later.

But the Bemstour exploit as well as the specific DoublePulsar variant continued to be used until at least September 2018.

"Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance," the researchers continued.

"It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group.

"However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group."

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

22 Sep 2020
What are biometrics?
Security

What are biometrics?

27 Nov 2020
Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020

Most Popular

46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020