In August 2016 - April 2017 a mysterious group calling itself the Shadow Brokers released several dumps of tools attributed to NSA-linked Equation Group, which is considered to be one of the most technically adept espionage groups. The exposed data contained significant amount of codes, including DoublePulsar backdoor, the FuzzBunch framework, and EternalSynergy, EternalRomance, and the EternalBlue exploit tools. Many threat actors and malware authors were quick to grab the opportunity and add the malware to their arsenal. For instance, the EternalBlue exploit was used in the devastating May 2017 WannaCry ransomware outbreak.
However, Symantec’s research suggests that the Chinese-linked group, which is known as Buckeye, APT3, UPS Team, Gothic Panda, and TG-0110, was using the same NSA-linked tools at least a year before they were publicly leaked. According to the report, in March 2016, the group began using a variant of DoublePulsar backdoor designed to stealthily collect information and run malicious code on a target’s machine. DoublePulsar was delivered to the victims with the help of custom tool Trojan.Bemstour that was specifically designed to install DoublePulsar.
The Bemstour trojan allowed the attackers to achieve remote kernel code execution on targeted computers by using two Windows bugs – CVE-2019-0703 (zero-day vulnerability) and CVE-2017-0143. First one is the information leak vulnerability that could be exploited with conjunction with other bugs for remote code execution and the second is RCE flaw in SMBv1 server, which allows remote attackers to execute arbitrary code via crafted packets. CVE-2019-0703 was patched in March 2019, and the second one was addressed in March 2017.
Buckeye used the tools in attacks that targeted telecommunications companies, firms dedicated to scientific research and education institutions from March 2016 to the middle of 2017, according to Symantec. The attacks were aimed on organizations in Belgium, Hong Kong, Luxembourg, The Philippines, and Vietnam.
“How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown”, noted the researchers.
Buckeye had been active since at least 2009, but it appears that the group ceased its operations in mid-2017. In late November 2017, the US government formally accused three Chinese nationals for attacks launched by the hacker group against Siemens, Trimble, and Moody’s Analytics. However, despite no evidence of activity Symantec found that the development of Bemstour has continued into 2019. The most recent sample of Bemstour seen by the researchers appears to have been compiled on March 23, 2019, eleven days after the zero-day vulnerability was patched by Microsoft. It is unclear who continued to use the tools in 2018 and 2019. The researchers don’t exclude the possibility that Buckeye passed on some of its tools to an associated group.