How a Chinese Nation-State Group Reverse-Engineered NSA Attack Tools

New Symantec research shows how the Buckeye group captured an exploit and backdoor used by the National Security Agency and deployed them on other victims.

A Chinese hacking group obtained access to an exploit and backdoor used by US intelligence - not by stealing the code, but apparently just by being a vigilant defender when it was attacked

by them, new research published today found.
Researchers from security firm Symantec revealed evidence that a state-sponsored group they call Buckeye used an exploit in 2016 for a previously unknown vulnerability that was later leaked in April 2017. The exploit and a backdoor used by Buckeye were both part of the Equation Group toolset leaked by the Shadow Brokers, an unidentified hacking group.
The report
indicates that Chinese operatives reverse-engineered an attack by the Equation Group and began using the tools to attack others. Symantec by policy does not provide attribution for hacking groups, but other industry experts long have said Equation Group is the National Security Agency (NSA).
Buckeyes study and development of the Equation Group tools is not actually surprising, says Eric Chien, technical director at Symantec, because security companies regularly do the same: learning attacker techniques to inform defense.
The whole security industry publishes information every day on information gathered from attacks, he says. People should have already realized that … if you are conducting some cyber-offensive operation, those things could come back against you.
The incident illustrates a major issue for military and security professionals considering the lessons of cyber warfare: Attacks essentially teach the victims how to attack. The timeline discovered by Symantec indicates that the Buckeye attack group had access to the exploit and backdoor for at least a year before the tools were leaked by Shadow Brokers.
The ability to reverse-engineer an attack and begin using the code is often just referred to as reversing or re-rolling.
If you look at the actual versions, what it looks like is that … the Shadow Brokers likely stole the tools at some earlier time, and then, the Equation Group continued to modify them and used them against Buckeye, who takes them and re-rolls the tools themselves, says Chien.
The tools released by the Shadow Brokers were from some earlier time, he says. If you look at the version that the Shadow Brokers had, they have less features than ultimately what Buckeye recovered from the Equation Group, Chien says.
Half Eternal
The exploit used in the Buckeye attacks is one half of the EternalRomance and EternalSynergy exploit tools, information on which was leaked by the Shadow Brokers. Both tools consisted of a remote exploit paired with an information disclosure exploit. While the remote exploit was the same, the information disclosure exploit differed, Chien says.
Symantec discovered a custom tool that used the remote exploit from EternalSynergy and EternalRomance paired with a previous unknown information-disclosure exploit that Symantec reported to Microsoft in September 2018.
Once we found that in 2018, we looked back to see when it was used and discovered the traceback, Chien says.
In addition, the Buckeye group also began using a variant of the Equation Groups DoublePulsar.
Buckeye, also known as APT3, is a group
linked to Chinese intelligence
, three members of which the United States charged with hacking in 2018, while
the Equation Group
activities are
linked to the National Security Agency
.
The Shadow Brokers started leaking data and hacking tools used by the National Security Agency
starting in August 2016
.
This is not the first time that Symantec has discovered previously undetected links between zero-day exploits and malware. Since 2008, Symantec has analyzed the exploits used in malware and during compromises. In a paper released in 2012, Symantec found that
seven of 18 zero-day attacks had gone unnoticed
during the previous three years.
Chien confirmed that the descendent of that research system had been used to also detect the latest connection between the Buckeye groups malware and the Equation Groups exploits.
Thats it, he says. Thats exactly it.
Less Likely Scenarios
Other theories could explain the fact that the same tools are being used by two different nation-state groups, but none of them fit the data to the extent of Symantecs preferred scenario.
For example, if Chinese intelligence also ran the Shadow Brokers, that could explain why both Buckeye and the Shadow Brokers had access to the exploit and the backdoor. However, the theory would not explain why the iterative improvement of the Buckeye groups version of the tools and the mismatch between those tools and what was eventually leaked by the Shadow Brokers.
The tools that they—the Shadow Brokers—leaked are different versions than what Buckeye recovered, Chien says. For that to be plausible, what would have happen is that the Shadow Brokers would have to have be holding more tools than they leaked, and we dont have any evidence of that.
Related Content:
Report: ShadowBrokers Obtained Stolen NSA Info Via Rogue Insider
Nation-State Attackers Steal, Copy Each Others Tools
Strong Connection Between Files Leaked By ShadowBrokers & The Equation Group
APT3 Threat Group a Contractor for Chinese Intelligence Agency
Newly Discovered Master Cyber Espionage Group Trumps Stuxnet

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How a Chinese Nation-State Group Reverse-Engineered NSA Attack Tools