How a Chinese Nation-State Group Reverse-Engineered NSA Attack Tools

New Symantec research shows how the Buckeye group captured an exploit and backdoor used by the National Security Agency and deployed them on other victims.

Dark Reading logo in a gray background | Dark Reading

A Chinese hacking group obtained access to an exploit and backdoor used by US intelligence - not by stealing the code, but apparently just by being a vigilant defender when it was attacked by them, new research published today found.

Researchers from security firm Symantec revealed evidence that a state-sponsored group they call Buckeye used an exploit in 2016 for a previously unknown vulnerability that was later leaked in April 2017. The exploit and a backdoor used by Buckeye were both part of the Equation Group toolset leaked by the Shadow Brokers, an unidentified hacking group. 

The report indicates that Chinese operatives reverse-engineered an attack by the Equation Group and began using the tools to attack others. Symantec by policy does not provide attribution for hacking groups, but other industry experts long have said Equation Group is the National Security Agency (NSA).

Buckeye's study and development of the Equation Group tools is not actually surprising, says Eric Chien, technical director at Symantec, because security companies regularly do the same: learning attacker techniques to inform defense.

"The whole security industry publishes information every day on information gathered from attacks," he says. "People should have already realized that … if you are conducting some cyber-offensive operation, those things could come back against you."

The incident illustrates a major issue for military and security professionals considering the lessons of cyber warfare: Attacks essentially teach the victims how to attack. The timeline discovered by Symantec indicates that the Buckeye attack group had access to the exploit and backdoor for at least a year before the tools were leaked by Shadow Brokers.

The ability to reverse-engineer an attack and begin using the code is often just referred to as "reversing" or "re-rolling." 

"If you look at the actual versions, what it looks like is that … the Shadow Brokers likely stole the tools" at some earlier time, and "then, the Equation Group continued to modify them and used them against Buckeye, who takes them and re-rolls the tools themselves," says Chien. 

The tools released by the Shadow Brokers were from some earlier time, he says. "If you look at the version that the Shadow Brokers had, they have less features than ultimately what Buckeye recovered from the Equation Group," Chien says.

Half 'Eternal'

The exploit used in the Buckeye attacks is one half of the EternalRomance and EternalSynergy exploit tools, information on which was leaked by the Shadow Brokers. Both tools consisted of a remote exploit paired with an information disclosure exploit. While the remote exploit was the same, the information disclosure exploit differed, Chien says. 

Symantec discovered a custom tool that used the remote exploit from EternalSynergy and EternalRomance paired with a previous unknown information-disclosure exploit that Symantec reported to Microsoft in September 2018.

"Once we found that in 2018, we looked back to see when it was used and discovered the traceback," Chien says.

In addition, the Buckeye group also began using a variant of the Equation Group's DoublePulsar. 

Buckeye, also known as APT3, is a group linked to Chinese intelligence, three members of which the United States charged with hacking in 2018, while the Equation Group activities are linked to the National Security Agency

The Shadow Brokers started leaking data and hacking tools used by the National Security Agency starting in August 2016

This is not the first time that Symantec has discovered previously undetected links between zero-day exploits and malware. Since 2008, Symantec has analyzed the exploits used in malware and during compromises. In a paper released in 2012, Symantec found that seven of 18 zero-day attacks had gone unnoticed during the previous three years.

Chien confirmed that the descendent of that research system had been used to also detect the latest connection between the Buckeye group's malware and the Equation Group's exploits.

"That's it," he says. "That's exactly it."

Less Likely Scenarios

Other theories could explain the fact that the same tools are being used by two different nation-state groups, but none of them fit the data to the extent of Symantec's preferred scenario. 

For example, if Chinese intelligence also ran the Shadow Brokers, that could explain why both Buckeye and the Shadow Brokers had access to the exploit and the backdoor. However, the theory would not explain why the iterative improvement of the Buckeye group's version of the tools and the mismatch between those tools and what was eventually leaked by the Shadow Brokers.

"The tools that they—the Shadow Brokers—leaked are different versions than what Buckeye recovered," Chien says. "For that to be plausible, what would have happen is that the Shadow Brokers would have to have be holding more tools than they leaked, and we don't have any evidence of that." 

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights