Earlier this year, cybersecurity firm Symantec published an interesting report detailing the use of Equation group exploitation tools by an alleged Chinese group called Buckeye (a.k.a APT3, or UPS team). The Equation group is suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). The same tools have been leaked online in 2017 by the group named Shadow Brokers, but, according to Symantec, APT3 has been using these tools long before they were posted online. At the time the researchers acknowledged that they can not say for sure how exactly the Chinese hackers have obtained the NSA-linked software, but it seems that cybersecurity outfit Check Point has its own theory.

According to a new report, it appears that the APT3 has acquired the tool by analyzing network traffic on a system that was potentially targeted by the NSA. The experts theorize that APT3 recreated its own version of an Equation group exploit using captured network traffic and incorporated it in its own arsenal.

“If network traffic was indeed used by the group as a reference, the traffic was likely collected from a machine controlled by APT3. This means either a Chinese machine that was targeted by the NSA and monitored by the group, or a machine compromised by the group beforehand on which foreign activity was noticed. We believe the former is more likely, and in that case could be made possible by capturing lateral movement within a victim network targeted by the Equation group,” reads the analysis.

Apparently, the group have taken the tool it found, which appeared to be the NSA-linked tool EternalRomance, an exploit that targets older versions of Windows, and modernized it further to allow it to target more Windows versions “similar to what was done in a parallel Equation group exploit named EternalSynergy. ” Check Point named the bundle of exploits UPSynergy, since it combines two different exploits to expand the support to newer operating systems.

Further analysis revealed the underlying SMB packets used throughout the tool execution were crafted manually by the developers, rather than with the help of third party libraries. As the researchers pointed out, a lot of these packets were assigned with hardcoded and seemingly arbitrary data, as well as the existence of other unique hardcoded SMB artifacts, suggesting that “the developers were trying to recreate the exploit based on previously recorded traffic”.

The UPSynergy tool appears to be aimed at the same vulnerability EternalRomance exploited (CVE-2017-0145). SMB vulnerabilities are part of EternalRomance’s exploit. The Chinese hackers then combined it with an “information leak” (CVE-2019-0703) zero-day exploit to target newer operating systems.

“It’s not always clear how threat actors achieve their exploitation tools, and it’s commonly assumed that actors can conduct their own research and development or get it from a third party. In this case we have evidence to show that a third (but less common) scenario took place – one where attack artifacts of a rival (i.e. Equation group) were used as the basis and inspiration for establishing in-house offensive capabilities by APT3,” concluded the researchers.

A more detailed technical analysis of tools used by the group, as well as Indicators of Compromise (IoCs), is available in Check Point report here.