Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

How a Chinese Nation-State Group Reverse-Engineered NSA Attack Tools

New Symantec research shows how the Buckeye group captured an exploit and backdoor used by the National Security Agency and deployed them on other victims.

A Chinese hacking group obtained access to an exploit and backdoor used by US intelligence - not by stealing the code, but apparently just by being a vigilant defender when it was attacked by them, new research published today found.

Researchers from security firm Symantec revealed evidence that a state-sponsored group they call Buckeye used an exploit in 2016 for a previously unknown vulnerability that was later leaked in April 2017. The exploit and a backdoor used by Buckeye were both part of the Equation Group toolset leaked by the Shadow Brokers, an unidentified hacking group. 

The report indicates that Chinese operatives reverse-engineered an attack by the Equation Group and began using the tools to attack others. Symantec by policy does not provide attribution for hacking groups, but other industry experts long have said Equation Group is the National Security Agency (NSA).

Buckeye's study and development of the Equation Group tools is not actually surprising, says Eric Chien, technical director at Symantec, because security companies regularly do the same: learning attacker techniques to inform defense.

"The whole security industry publishes information every day on information gathered from attacks," he says. "People should have already realized that … if you are conducting some cyber-offensive operation, those things could come back against you."

The incident illustrates a major issue for military and security professionals considering the lessons of cyber warfare: Attacks essentially teach the victims how to attack. The timeline discovered by Symantec indicates that the Buckeye attack group had access to the exploit and backdoor for at least a year before the tools were leaked by Shadow Brokers.

The ability to reverse-engineer an attack and begin using the code is often just referred to as "reversing" or "re-rolling." 

"If you look at the actual versions, what it looks like is that … the Shadow Brokers likely stole the tools" at some earlier time, and "then, the Equation Group continued to modify them and used them against Buckeye, who takes them and re-rolls the tools themselves," says Chien. 

The tools released by the Shadow Brokers were from some earlier time, he says. "If you look at the version that the Shadow Brokers had, they have less features than ultimately what Buckeye recovered from the Equation Group," Chien says.

Half 'Eternal'

The exploit used in the Buckeye attacks is one half of the EternalRomance and EternalSynergy exploit tools, information on which was leaked by the Shadow Brokers. Both tools consisted of a remote exploit paired with an information disclosure exploit. While the remote exploit was the same, the information disclosure exploit differed, Chien says. 

Symantec discovered a custom tool that used the remote exploit from EternalSynergy and EternalRomance paired with a previous unknown information-disclosure exploit that Symantec reported to Microsoft in September 2018.

"Once we found that in 2018, we looked back to see when it was used and discovered the traceback," Chien says.

In addition, the Buckeye group also began using a variant of the Equation Group's DoublePulsar. 

Buckeye, also known as APT3, is a group linked to Chinese intelligence, three members of which the United States charged with hacking in 2018, while the Equation Group activities are linked to the National Security Agency

The Shadow Brokers started leaking data and hacking tools used by the National Security Agency starting in August 2016

This is not the first time that Symantec has discovered previously undetected links between zero-day exploits and malware. Since 2008, Symantec has analyzed the exploits used in malware and during compromises. In a paper released in 2012, Symantec found that seven of 18 zero-day attacks had gone unnoticed during the previous three years.

Chien confirmed that the descendent of that research system had been used to also detect the latest connection between the Buckeye group's malware and the Equation Group's exploits.

"That's it," he says. "That's exactly it."

Less Likely Scenarios

Other theories could explain the fact that the same tools are being used by two different nation-state groups, but none of them fit the data to the extent of Symantec's preferred scenario. 

For example, if Chinese intelligence also ran the Shadow Brokers, that could explain why both Buckeye and the Shadow Brokers had access to the exploit and the backdoor. However, the theory would not explain why the iterative improvement of the Buckeye group's version of the tools and the mismatch between those tools and what was eventually leaked by the Shadow Brokers.

"The tools that they—the Shadow Brokers—leaked are different versions than what Buckeye recovered," Chien says. "For that to be plausible, what would have happen is that the Shadow Brokers would have to have be holding more tools than they leaked, and we don't have any evidence of that." 

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.