A Chinese threat group was using hacking tools developed by the NSA more than a year before Shadow Brokers leaked them in April 2017, tools that were later used in highly destructive attacks such as the WannaCry ransomware campaign from May 2017.
The Buckeye threat group (also known to researchers as Gothic Panda, TG-0110, UPS, and APT3) has been active since at least 2010, it is credited by experts for running Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap [1, 2, 3], and for mainly attacking U.S. entities with a sudden switch to Hong Kong targets back in 2015.
The indictment of three APT3 members by the U.S. government in November 2017 is the thing that really brought the group in the spotlight, with the three Chinese hackers being accused of infiltrating the computing systems of Moody’s Analytics, Siemens, and Trimble between 2011 and May 2017.
As unearthed by Symantec, the Chinese-backed Buckeye was using NSA hacking tools 13 months before they were leaked by Shadow Brokers—the hacking group who stole them—in April 2017, together with a “previously unknown Windows zero-day vulnerability that Symantec discovered (which has since been patched by Microsoft).”
Starting with March 2016, the NSA DoublePulsar backdoor was detected as part of Buckeye campaigns, while being dropped with the help of the Bemstour Trojan, a malware dropper specifically created by the group to deliver the NSA malware payload.
Symantec discovered that the variant used by Buckeye during their attacks was newer than the one leaked by Shadow Brokers, with an extra layer of obfuscation which might indicate that the Chinese hackers customized it before deployment on their victims’ systems.
It wouldn’t be the first time DoublePulsar was tweaked for other purposes given that it got modified in June 2018 to target machines running the Windows IoT operating system (formerly known as Windows Embedded).
DoublePulsar proved to be a highly effective tool as shown one week after it was leaked when security researchers found more than 36,000 infected computers around the world based on SMB connection responses.
Also, the fact that the threat group never employed the FuzzBunch framework designed to offer an easy management platform for all the NSA hacking tools hints at the Chinese hackers not gaining access to the entire malicious cache leaked by the Shadow Brokers.
|March 2016||September 2016||April 2017||June 2017||June 2017||August 2017|
|Target locations||Hong Kong, Belgium||Hong Kong||Luxembourg||Philippines||Vietnam|
|Bemstour Exploit Tool (V1)||Bemstour Exploit Tool (V2)||Shadow Brokers Leak||Bemstour Exploit Tool (V1)||Bemstour Exploit Tool (V1 & V2)||Bemstour Exploit Tool (V2)|
|DoublePulsar||DoublePulsar (32-bit) or custom payload only (64-bit)||DoublePulsar||DoublePulsar (32-bit) or custom payload only (64-bit)||DoublePulsar (32-bit) or custom payload only (64-bit)|
There are also a lot of questions remaining after Symantec’s findings, from the method through which Buckeye got their hands on the NSA toolset to the reason behind the prolonged use of the DoublePulsar backdoor even after the group ceased operations sometime during mid-2017.
Symantec theorizes based on collected evidence and educated guesses (as it almost always happens when it comes to analyzing state-backed threat groups) that the Chinese hackers could have created their “own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack.”
Other less-probable theories postulate that the hacking group obtained “the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye.”