Chinese hackers used 'stolen' NSA tools a year before they were leaked by the Shadow Brokers

Evidence shows 'Buckeye' was using Bemstour and DoublePulsar tools as early as March 2016

Fingerprint on a Chinese key on a keyboard to denote cyber crime

Chinese hackers may have captured NSA-linked hacking tools to launch a series of devastating attacks against the US and its allies a year before these were infamously leaked by the Shadow Brokers.

The Buckeye group was previously thought to have launched attacks using a set of hacking tools developed by the NSA-linked Equation Group; stolen and leaked by a third collective known as the Shadow Brokers.

The Equation Group, widely thought to be linked to the NSA and considered among the most technically-sophisticated active groups, sustained an attack in 2016 in which a collection of its cyber weapons were stolen.

Shadow Brokers claimed responsibility for the 2016 hack and began to leak these tools in drips and drabs, before releasing a full and final cache the following year.

But evidence collected by Symantec shows a group known as Buckeye had been using these tools more than a year before the infamous Shadow Brokers leak, suggesting the Chinese group may have captured and repurposed the tools independently.

Advertisement
Advertisement - Article continues below

The first occasion on which these tools were identified came as early as 31 March 2016, according to the cyber security firm, during an attack on a target in Hong Kong.

Based on the code and the timing of the attacks, researchers have theorised that Buckeye hackers may have intercepted an active Equation Group attack and captured the tools, before designing their own versions.

"One possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack," the researchers said.

"Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye."

The evidence collected centres around two tools used in attacks by Buckeye known as Bemstour and DoublePulsar.

Bemstour exploits two Windows vulnerabilities together to achieve remote kernel code execution on targeted machines. This is used to install DoublePulsar, a backdoor, which subsequently launches a second payload. Notably, Buckeye's version of DoublePulsar was different from that leaked by the Shadow Brokers.

Buckeye disappeared in mid-2017, according to Symantec, and three alleged members were indicted in the US several months later.

But the Bemstour exploit as well as the specific DoublePulsar variant continued to be used until at least September 2018.

"Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance," the researchers continued.

"It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group.

Advertisement
Advertisement - Article continues below

"However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/28170/what-is-cyber-warfare
Security

What is cyber warfare?

20 Sep 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019