This article is more than 1 year old

Remember those stolen 'NSA exploits' leaked online by the Shadow Brokers? The Chinese had them a year before

Or so claims Symantec

Months before top-tier hacking tools, likely built by the NSA, were leaked to the public by a group calling itself the Shadow Brokers, the exploit code was apparently being used by Chinese state hackers to infiltrate systems.

This is according to Symantec, whose researchers this week said that an operation known as Buckeye was spotted in 2016 using tools from Equation Group, the probably-NSA hacking team that had its code swiped and dumped online a year later in a series of high-profile disclosures.

That China was able to get its hands on the code a year before the public release would suggest that the Equation Group tools were known about and stolen significantly earlier than first thought.

Specifically, the Beijing-backed Buckeye crew was using an exploit tool called Bemstour to infect targets with a backdoor called Double Pulsar. The kit targeted then-unknown vulnerabilities in Windows to open the backdoor and allow hackers to access and monitor their targets.

The malware was used by the hackers to get and maintain access to targets in Hong Kong and Belgium. The package was later modified and used in separate attacks on machines in Vietnam and the Philippines.

"How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown," Symantec says in its write-up.

"Buckeye disappeared in mid-2017 and three alleged members of the group were indicted in the U.S. in November 2017. However, while activity involving known Buckeye tools ceased in mid-2017, the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware."

While Symantec could not say exactly how China had been able to get its hands on the US government's attack tools, one possible explanation is that they spotted the code being used to attack their systems and simply tweaked the malware payload to their own ends.


Here are another 45,000 reasons to patch Windows systems against old NSA exploits


"Based on the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack," Symantec explained.

Such a scenario was outlined last year at the RSA conference in San Francisco, when researchers Kenneth Geer and Kārlis Podiņš showed how a government could reverse engineer and weaponize attack tools used against them with relative ease simply by swapping out key components (such as the targeted files or malware payload) with their own tools.

The key takeaway from that talk was "You don't launch a cyber weapon, you share it," a statement that may perfectly sum up this week's findings from Symantec. ®

More about


Send us news

Other stories you might like