Chinese Hackers Used NSA Tool a Year Before Shadow Brokers Leak
Over a year before the mysterious hacking group Shadow Brokers leaked DoublePulsar, an NSA-linked hacking tool, Chinese state-backed cyber espionage group Buckeye (aka APT3, UPS Team, Gothic Panda, and TG-0110), was already using the tool in a campaign targeting Hong Kong, new research by Symantec shows.
The Shadow Brokers caused quite a stir in the intelligence community when it announced an auction for what it claimed were ‘cyber weapons’ made by the NSA in August of 2016. The group had obtained the hacking tools by attacking the Equation Group, an NSA-linked hacking group. In the months that followed the Shadow Brokers released a great variety of tools including DoublePulsar, which was leaked in April of 2017. However, Symantec researchers now claim that Buckeye was already using DoublePulsar as early as March of 2016. Furthermore, the Chinese hackers used a newer version of DoublePulsar than the one released by the Shadow Brokers. Buckeye is believed to have seized operations in mid-2017, but some of its trademark tools, including the updated DoublePulsar version, have been used in much more recent attacks.
Symantec researchers suggest that “[b]ased on the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack. Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye.”