Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

How a Chinese Nation-State Group Reverse-Engineered NSA Attack Tools

New Symantec research shows how the Buckeye group captured an exploit and backdoor used by the National Security Agency and deployed them on other victims.

A Chinese hacking group obtained access to an exploit and backdoor used by US intelligence - not by stealing the code, but apparently just by being a vigilant defender when it was attacked by them, new research published today found.

Researchers from security firm Symantec revealed evidence that a state-sponsored group they call Buckeye used an exploit in 2016 for a previously unknown vulnerability that was later leaked in April 2017. The exploit and a backdoor used by Buckeye were both part of the Equation Group toolset leaked by the Shadow Brokers, an unidentified hacking group. 

The report indicates that Chinese operatives reverse-engineered an attack by the Equation Group and began using the tools to attack others. Symantec by policy does not provide attribution for hacking groups, but other industry experts long have said Equation Group is the National Security Agency (NSA).

Buckeye's study and development of the Equation Group tools is not actually surprising, says Eric Chien, technical director at Symantec, because security companies regularly do the same: learning attacker techniques to inform defense.

"The whole security industry publishes information every day on information gathered from attacks," he says. "People should have already realized that … if you are conducting some cyber-offensive operation, those things could come back against you."

The incident illustrates a major issue for military and security professionals considering the lessons of cyber warfare: Attacks essentially teach the victims how to attack. The timeline discovered by Symantec indicates that the Buckeye attack group had access to the exploit and backdoor for at least a year before the tools were leaked by Shadow Brokers.

The ability to reverse-engineer an attack and begin using the code is often just referred to as "reversing" or "re-rolling." 

"If you look at the actual versions, what it looks like is that … the Shadow Brokers likely stole the tools" at some earlier time, and "then, the Equation Group continued to modify them and used them against Buckeye, who takes them and re-rolls the tools themselves," says Chien. 

The tools released by the Shadow Brokers were from some earlier time, he says. "If you look at the version that the Shadow Brokers had, they have less features than ultimately what Buckeye recovered from the Equation Group," Chien says.

Half 'Eternal'

The exploit used in the Buckeye attacks is one half of the EternalRomance and EternalSynergy exploit tools, information on which was leaked by the Shadow Brokers. Both tools consisted of a remote exploit paired with an information disclosure exploit. While the remote exploit was the same, the information disclosure exploit differed, Chien says. 

Symantec discovered a custom tool that used the remote exploit from EternalSynergy and EternalRomance paired with a previous unknown information-disclosure exploit that Symantec reported to Microsoft in September 2018.

"Once we found that in 2018, we looked back to see when it was used and discovered the traceback," Chien says.

In addition, the Buckeye group also began using a variant of the Equation Group's DoublePulsar. 

Buckeye, also known as APT3, is a group linked to Chinese intelligence, three members of which the United States charged with hacking in 2018, while the Equation Group activities are linked to the National Security Agency

The Shadow Brokers started leaking data and hacking tools used by the National Security Agency starting in August 2016

This is not the first time that Symantec has discovered previously undetected links between zero-day exploits and malware. Since 2008, Symantec has analyzed the exploits used in malware and during compromises. In a paper released in 2012, Symantec found that seven of 18 zero-day attacks had gone unnoticed during the previous three years.

Chien confirmed that the descendent of that research system had been used to also detect the latest connection between the Buckeye group's malware and the Equation Group's exploits.

"That's it," he says. "That's exactly it."

Less Likely Scenarios

Other theories could explain the fact that the same tools are being used by two different nation-state groups, but none of them fit the data to the extent of Symantec's preferred scenario. 

For example, if Chinese intelligence also ran the Shadow Brokers, that could explain why both Buckeye and the Shadow Brokers had access to the exploit and the backdoor. However, the theory would not explain why the iterative improvement of the Buckeye group's version of the tools and the mismatch between those tools and what was eventually leaked by the Shadow Brokers.

"The tools that they—the Shadow Brokers—leaked are different versions than what Buckeye recovered," Chien says. "For that to be plausible, what would have happen is that the Shadow Brokers would have to have be holding more tools than they leaked, and we don't have any evidence of that." 

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...