Chinese threat actors “cloned” and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched, researchers say.
On August 13, 2016, a hacking unit calling itself “The Shadow Brokers” announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).
The Jian tool was used to exploit a Windows zero-day vulnerability years before a patch was issued.
On Monday, Check Point Research (CPR) said the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by FireEye in 2015 and described as “one of the most sophisticated cyber-attack groups in the world.”
The previously undocumented cyber-theft took place more than two years before the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to attack U.S. targets.
Thought to be active since at least 2001, Equation Group has since been linked to the US intelligence agency’s Tailored Access Operations (TAO) unit.
The Shadow Brokers hacking group released Equation Group tools and files in 2017, some of which were used to exploit previously unknown bugs in popular programs, including Microsoft Windows – forcing retailers to issue more patches and quick fixes to exploit useless tools.
In the same year, Microsoft released the CVE-2017-0005 version, a zero-day risk factor for Windows XP on Windows 8 applications that could be used for privileges and a complete compromise.
Initially, it was thought that the tool designed to exploit CVE-2017-0005 was the work of a Chinese opposition group (APT) called APT31, also known as Zirconium.
However, Check Point now claims that the tool, called Jian, was actually a combination of software used by Equation Group and was actively used between 2014 and 2017 – years before the risk could not be created – and was not customized by threatening Chinese actors.
According to investigators, Jian is a bunch of “EpMe,” which was re-introduced in the 2017 Shadow Brokers “Lost in Translation,” rewarding and “re-released” to attack US citizens.
“Both APT31” Jian “or Equation Group” EpMe “exploits are designed to promote the rights of the attacker in your local Windows environment,” said CPR.
The tool is used after the attacker has first accessed the targeted computer – that is, at the risk of a random click, an email theft of sensitive information, or otherwise – to give the attacker the highest rights available, to “roam free” and do whatever they want on an already infected computer.
The team notes that Lokheed Martin reported CVE-2017-0005 at Microsoft, which they say is an “unusual” footnote on the investigation.
“As far as we know, this is the only risk their [Lokheed Martin] have reported in recent years,” Check Point said. “It is possible that one of their clients, or Lokheed Martin himself, has been identified by this player.”
APT31 is believed to have access to the Equation Group exploitation module – both 32- and 64-bit models. While cybersecurity researchers are not sure how Chinese APT discovered the exploitation, it may have been taken over during Equation The group’s attack on China’s target.
Alternatively, the tool may have been stolen while Equation Group was on the network and monitored by APT31 or during a direct attack by APT31 on Equation Group systems.
The investigation into Jian also revealed a module containing four ways to use the rights to increase that was part of the Equation Group’s DanderSpritz framework for exploitation.
Two draft actions, starting in 2013, were zero-day errors. One of these exploits is by EpMe, and another, called “EpMo,” appears to have been peacefully marked in May 2017 by Microsoft as a follow-up solution to respond to the Shadow Brokers leak has not been offered to CVE. The remaining code names are EIEi and ErNi.
This is not the only example of Chinese APT stealing and restoring Equation Group tools. In another lawsuit filed by Symantec in 2019, APT3 “Buckeye” was linked to an attack using Equation Group tools in 2016, before Shadow Brokers’ leak.
While Buckeye looks set to collapse in mid-2017, the tools were in use until 2018 – but it is unknown whether they will be transferred or not anyone.