In a shocking revelation, it turns out that a hacking group believed to be sponsored by Chinese intelligence had been using some of the zero-day exploits linked to the NSA’s Equation Group almost a year before the mysterious Shadow Brokers group leaked them.
According to a new report published by cybersecurity firm Symantec, a Chinese-linked group, which it calls Buckeye, was using the NSA-linked hacking tools as far back as March 2016, while the Shadow Brokers dumped some of the tools on the Internet in April 2017.
Active since at least 2009, Buckeye—also known as APT3, Gothic Panda, UPS Team, and TG-0110—is responsible for a large number of espionage attacks, mainly against defence and critical organizations in the United States.
Although Symantec did not explicitly name China in its report, researchers with a high degree of confidence have previously attributed [1,2] Buckeye hacking group to an information security company, called Boyusec, who is working on behalf of the Chinese Ministry of State Security.
Symantec’s latest discovery provides the first evidence that Chinese state-sponsored hackers managed to acquire some of the hacking tools, including EternalRomance, EternalSynergy, and DoublePulsar, a year before being dumped by the Shadow Brokers, a mysterious group that’s still unidentified.
According to the researchers, the Buckeye group used its custom exploit tool, dubbed Bemstour, to deliver a variant of DoublePulsar backdoor implant to stealthily collect information and run malicious code on the targeted computers.
Benstour tool was designed to exploit two then-zero-day vulnerabilities (CVE-2019-0703 and CVE-2017-0143) in Windows to achieve remote kernel code execution on targeted computers.