8 May 2019

Chinese-linked cyberspies used Equation Group tools at least a year before Shadow Brokers leak

Chinese-linked cyberspies used Equation Group tools at least a year before Shadow Brokers leak

In August 2016 - April 2017 a mysterious group calling itself the Shadow Brokers released several dumps of tools attributed to NSA-linked Equation Group, which is considered to be one of the most technically adept espionage groups. The exposed data contained significant amount of codes, including DoublePulsar backdoor, the FuzzBunch framework, and EternalSynergy, EternalRomance, and the EternalBlue exploit tools. Many threat actors and malware authors were quick to grab the opportunity and add the malware to their arsenal. For instance, the EternalBlue exploit was used in the devastating May 2017 WannaCry ransomware outbreak.

However, Symantec’s research suggests that the Chinese-linked group, which is known as Buckeye, APT3, UPS Team, Gothic Panda, and TG-0110, was using the same NSA-linked tools at least a year before they were publicly leaked. According to the report, in March 2016, the group began using a variant of DoublePulsar backdoor designed to stealthily collect information and run malicious code on a target’s machine. DoublePulsar was delivered to the victims with the help of custom tool Trojan.Bemstour that was specifically designed to install DoublePulsar.

The Bemstour trojan allowed the attackers to achieve remote kernel code execution on targeted computers by using two Windows bugs – CVE-2019-0703 (zero-day vulnerability) and CVE-2017-0143. First one is the information leak vulnerability that could be exploited with conjunction with other bugs for remote code execution and the second is RCE flaw in SMBv1 server, which allows remote attackers to execute arbitrary code via crafted packets. CVE-2019-0703 was patched in March 2019, and the second one was addressed in March 2017.

Buckeye used the tools in attacks that targeted telecommunications companies, firms dedicated to scientific research and education institutions from March 2016 to the middle of 2017, according to Symantec. The attacks were aimed on organizations in Belgium, Hong Kong, Luxembourg, The Philippines, and Vietnam.

“How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown”, noted the researchers.

Buckeye had been active since at least 2009, but it appears that the group ceased its operations in mid-2017. In late November 2017, the US government formally accused three Chinese nationals for attacks launched by the hacker group against Siemens, Trimble, and Moody’s Analytics. However, despite no evidence of activity Symantec found that the development of Bemstour has continued into 2019. The most recent sample of Bemstour seen by the researchers appears to have been compiled on March 23, 2019, eleven days after the zero-day vulnerability was patched by Microsoft. It is unclear who continued to use the tools in 2018 and 2019. The researchers don’t exclude the possibility that Buckeye passed on some of its tools to an associated group.  

Back to the list

Latest Posts

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

This marks the first time when all of them have been used in a single campaign together.
24 May 2019
Researchers shed some light on commands used by Zebrocy toolkit

Researchers shed some light on commands used by Zebrocy toolkit

Malware operators run commands manually to collect a vast amount of data from infected systems.
23 May 2019
Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

The attacks have been linked to a cyber espionage group APT28.
22 May 2019
Featured vulnerabilities
Privilege escalation in libvirt
Low Patched | 24 May, 2019
Multiple vulnerabilities in OpenEMR
Medium Patched | 23 May, 2019
CSRF in WP Open Graph plugin for WordPress
Medium Patched | 23 May, 2019
Multiple vulnerabilities in cURL
High Patched | 23 May, 2019