Chinese hackers used 'stolen' NSA tools a year before they were leaked by the Shadow Brokers

Evidence shows 'Buckeye' was using Bemstour and DoublePulsar tools as early as March 2016

Fingerprint on a Chinese key on a keyboard to denote cyber crime

Chinese hackers may have captured NSA-linked hacking tools to launch a series of devastating attacks against the US and its allies a year before these were infamously leaked by the Shadow Brokers.

The Buckeye group was previously thought to have launched attacks using a set of hacking tools developed by the NSA-linked Equation Group; stolen and leaked by a third collective known as the Shadow Brokers.

Advertisement - Article continues below

The Equation Group, widely thought to be linked to the NSA and considered among the most technically-sophisticated active groups, sustained an attack in 2016 in which a collection of its cyber weapons were stolen.

Shadow Brokers claimed responsibility for the 2016 hack and began to leak these tools in drips and drabs, before releasing a full and final cache the following year.

But evidence collected by Symantec shows a group known as Buckeye had been using these tools more than a year before the infamous Shadow Brokers leak, suggesting the Chinese group may have captured and repurposed the tools independently.

The first occasion on which these tools were identified came as early as 31 March 2016, according to the cyber security firm, during an attack on a target in Hong Kong.

Based on the code and the timing of the attacks, researchers have theorised that Buckeye hackers may have intercepted an active Equation Group attack and captured the tools, before designing their own versions.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"One possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack," the researchers said.

"Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye."

The evidence collected centres around two tools used in attacks by Buckeye known as Bemstour and DoublePulsar.

Bemstour exploits two Windows vulnerabilities together to achieve remote kernel code execution on targeted machines. This is used to install DoublePulsar, a backdoor, which subsequently launches a second payload. Notably, Buckeye's version of DoublePulsar was different from that leaked by the Shadow Brokers.

Buckeye disappeared in mid-2017, according to Symantec, and three alleged members were indicted in the US several months later.

Advertisement - Article continues below

But the Bemstour exploit as well as the specific DoublePulsar variant continued to be used until at least September 2018.

"Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance," the researchers continued.

"It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group.

"However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group."

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/security/28170/what-is-cyber-warfare
Security

What is cyber warfare?

16 Mar 2020
Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020