[BreachExchange] Researchers: Chinese APT group used stolen NSA tools prior to Shadow Brokers leak

[Destry Winant]

https://www.scmagazine.com/home/security-news/researchers-chinese-apt-group-used-stolen-nsa-tools-prior-to-shadow-brokers-leak/

Some of the U.S. government-linked exploit tools that were published
online by the Shadow Brokershacking group in 2016 and 2017 were
actually employed by Chinese actors well before that infamous leak
occurred, researchers say.

In a blog post yesterday, Symantec reported that its threat research
team discovered evidence that cyber espionage actor APT3, aka Gothic
Panda or Buckeye, had been using “Equation Group” hacking tools –
widely attributed to the National Security Agency – since at least
March 2016, several months prior to the Shadow Brokers’ first leak.

One of these tools was a backdoor named DoublePulsar that injects a
secondary payload into memory, fully compromising the infected
machine. But APT3’s version of DoublePulsar was actually a different
variant than the one that was publicly leaked. This suggests that the
Buckeye actors “may have engineered its own version of the tools from
artifacts found in captured network traffic, possibly from observing
an Equation Group attack,” the blog post theorizes.

While Symantec didn’t entirely rule out the possibility that APT3
stole the tools from an Equation Group/NSA server or that a rogue NSA
employee supplied the tools to the Chinese actors the evidence doesn’t
support these theories as strongly.

APT3 delivered DoublePulsar to its victims via a custom exploit tool
called Bemstour, which exploited two Windows vulnerabilities together
in order to achieve remote code execution. One of these
vulnerabilities, CVE-2017-0143, is a message type confusion error that
was also abused by two leaked Equation Group exploit tools,
EternalRomance and EternalSynergy. Microsoft patched this flaw shortly
after the Shadow Brokers incident.

This second flaw, CVE-2019-0703, actually remained an undiscovered
zero-day until Symantec uncovered it last year. The Windows SMB server
information disclosure vulnerability was reported in September 2018
and subsequently patched by Microsoft in March 2019.

Bemstour itself would typically be delivered one of two Buckeye
backdoor’s known as Pipri and Filensfer. Symantec traced Buckeye’s
first known use of Bemstour to a March 31, 2016 attack on a target in
Hong Kong. A second attack against a Belgian educational institution
followed one hour later. Benstour has undergone a series of evolutions
since then. The most recent sample viewed by Symantec was apparently
compiled on March 23, 2019, 11 days after CVE-2019-0703 was patched by
Microsoft.

“The purpose of all the attacks was to acquire a persistent presence
on the victim’s network, meaning information theft was the most likely
motive behind the activity,” Symantec asserts.

There remains a lingering mystery that Symantec’s research hasn’t yet
answered: Buckeye was thought to have dissolved by mid-2017, and yet
the Bemstour exploit tool and DoublePulsar variant used by Buckeye
continued to be used until at least September 2018. “It may suggest
that Buckeye retooled following its exposure in 2017, abandoning all
tools publicly associated with the group,” Symantec explains.
“However, aside from the continued use of the tools, Symantec has
found no other evidence suggesting Buckeye has retooled. Another
possibility is that Buckeye passed on some of its tools to an
associated group.”