Application Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Report: Chinese Hackers First to Use NSA Cyberattack Tools

Symantec Report Deepens Mystery Around Lost NSA Tools and Exploits
Report: Chinese Hackers First to Use NSA Cyberattack Tools
The Hall of Supreme Harmony within the Forbidden City in Beijing (Photo: Denny Jarvis via Flickr/CC)

A Chinese hacking group was using exploits and attack tools developed by the U.S. National Security Agency a few months before another group released the tools, Symantec says in a new report.

See Also: OnDemand: 2024 Google Cloud Partner of the Year - Application and Infrastructure Security

The surprising report deepens the mystery around an extraordinary situation in which some of the U.S.'s most effective cyber weapons fell into the wrong hands. The repercussions, including the devastating WannaCry ransomware attack in May 2017, continue to play out today.

It also raises questions about the Vulnerabilities Equities Process, a U.S. government program that discloses software vulnerabilities to vendors so they can be patched.

Unpatched vulnerabilities help U.S. cyber spies infiltrate other systems. But failing to notify the vendors of those problems means it's possible other countries or cybercriminals will discover and exploit them.

The situation outlined by Symantec raises questions about software flaws that are tightly held by the U.S. or so-called NOBUS flaws, which stands for "nobody but U.S.", writes Jake Williams, a former operator with the National Security Agency's Tailored Access Operations unit and founder of Rendition Infosec, a security consultancy in Atlanta.

"This completely kills the NOBUS argument and raises some serious questions about the Vulnerability Equities Process (VEP)," Williams writes on Twitter.

Buckeye, aka APT3 and Gothic Panda

Symantec calls the Chinese hacking group Buckeye; it's also known as APT3 and Gothic Panda. Some cybersecurity companies, including Crowdstrike and Recorded Future, believe that APT3 works with China's intelligence agency, known as the Ministry of State Security.

Symantec has been tracking attacks linked to Buckeye in Belgium, Luxembourg, Hong Kong, Vietnam and the Philippines, including against telecommunication companies and science and technology.

As is customary, Symantec doesn't mention China in its report. The leaked exploits and tools came from the Equation Group, Symantec says. The Equation Group, discovered by Kaspersky, is strongly believed to be the NSA's offensive cyber operations unit, which used to be known as Tailored Access Operations.

It is unclear how Buckeye obtained the tools, but Symantec has two theories. Buckeye "may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack," Symantec says.

Another less likely scenario is that Buckeye gained access to a poorly secured server used by the Equation Group, or that someone with the Equation Group leaked the tools.

But Buckeye's use of the tools and exploits predates their release by the Shadow Brokers. In August 2016, the Shadow Brokers released samples of exploits and software implants it claimed came from the Equation Group.

Security experts concluded that the tools were legitimate and likely came from a highly sophisticated group. It was theorized that perhaps a disgruntled NSA employee or contractor was the Shadow Brokers, or maybe the tool dump was a bold, provocative prank by Russia. So far, no one has been charged.

Buckeye began using a variant of the DoublePulsar backdoor in March 2016, Symantec says. The backdoor was delivered to victims using an exploit tool called Bemstour. Bemstour used two zero-day vulnerabilities for Windows, CVE-2019-0703, and CVE-2017-0143.

This chart shows attack tools Buckeye deployed, by region. (Source: Symantec)

Bemstour continues to be developed. In fact, Symantec says it analyzed a sample that was compiled on March 23.

"The purpose of all the attacks was to acquire a persistent presence on the victim's network, meaning information theft was the most likely motive of the attacks," Symantec writes.

Buckeye also used two exploit tools known as EternalRomance and EternalSynergy, both of which were also released by the Shadow Brokers.

Tools Still in Use

Symantec says Buckeye appeared to stop its attacks around mid-2017. A few months later, in November 2017, three Chinese men believed to be part of the group were charged with breaking into U.S. companies, including Siemens, Moody's Analytics and Trimble.

The U.S. has no extradition agreement with China, so the men have not been arrested. The men worked for Bo Yu Information Technology Company Ltd., or Boyusec for short, which was based in Guangzhou. Boyusec was believed to have been connected with APT3 and Gothic Panda (see: Chinese Cybersecurity Workers Hacked Firms, US Charges).

Even though Buckeye's activity ceased, there are still risks. Another group began using the tools through the end of last year, Symantec says.

There's often vigorous debate over when the U.S. should disclose software flaws that give the U.S. an intelligence advantage. A more prompt notification process may have allowed Microsoft to patch the Server Message Block vulnerability (CVE-2017-0144) sooner, which may have given organizations more time to protect themselves from WannaCry. Microsoft patched the SMB vulnerability weeks before WannaCry was unleashed in May 2017.

But there's risk in developing exploits for vulnerabilities in the first place, argues Robert M. Lee, founder and CEO of Dragos, which specializes in securing industrial control systems. If those exploits are deployed, it may be possible for adversaries to reverse engineer or discover them.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.