Purportedly developed by the National Security Agency (NSA), at least one APT was using hacking tools long before the Shadow Brokers released the notorious trove of U.S. cyberweapons, according to new analysis.
Active since 2010, the Buckeye threat group is credited by experts for running Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap, and for largely attacking U.S. entities with an abrupt change to Hong Kong targets back in 2015.
The accusation of three APT3 members by the U.S. government in November 2017 is what really brought the group in the limelight, with the three Chinese hackers being accused of infiltrating the computing systems of Moody’s Analytics, Siemens, and Trimble between 2011 and May 2017.
As revealed by Symantec, the Chinese-backed Buckeye was using NSA hacking tools 13 months before they were leaked by Shadow Brokers—the hacking group who stole them—in April 2017.
Starting with March 2016, the NSA DoublePulsar backdoor was spotted as part of Buckeye operations, while being released with the help of the Bemstour Trojan, a malware dropper unambiguously formed by the group to bring the NSA malware cargo.
Symantec exposed that the variant used by Buckeye during their attacks was newer than the one seeped by Shadow Brokers, with an extra layer of complication which might specify that the Chinese hackers modified it before placement on their victims’ systems.
It wouldn’t be the first time DoublePulsar was tweaked for other purposes given that it got adapted in June 2018 to target machines running the Windows IoT operating system (formerly known as Windows Embedded).
In addition, the fact that the threat group never hired the FuzzBunch framework intended to offer an easy administration platform for all the NSA hacking tools indicates the Chinese hackers not gaining access to the whole spiteful cache leaked by the Shadow Brokers.
There are also several questions remaining after Symantec’s conclusions, from the technique through which Buckeye got their hands on the NSA toolset to the purpose behind the protracted use of the DoublePulsar backdoor even after the group stopped operations sometime during mid-2017.
Symantec hypothesizes based on collected evidence and tasteful guesses (as it almost always occurs when it comes to evaluating state-backed threat groups) that the Chinese hackers could have formed their “own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack.”
Other less-probable concepts assume that the hacking group got “the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye.”