In a recent media unfolding about an investigation, it was declared that a Chinese hacker group was able to get hold of NSA hacking tools. It has been speculated that the hackers got hold of the tools due to support and sponsorship from Chinese intelligence.

The speculation is based on the past incident wherein the Chinese intelligence was engaged in using some of the zero-day exploits linked to the NSA’s Equation Group which was leaked by the mysterious Shadow Brokers group.

As per an investigative report published by cybersecurity firm Symantec, it is pretty evident that Chinese-linked group known as Buckeye, used the NSA-linked hacking tools in 2016. The activity was caught by Shadow Brokers and was later dumped online in 2017.

Buckeye is assumed to be formed in 2009 and is now known with various names such as APT3, Gothic Panda, UPS Team, and TG-0110. It holds the reputation of making major espionage attacks, mainly against defense and critical organizations in the United States.

Although Symantec refrained from directly naming China in its report for the deed, expert researchers has found that previously attributed [1,2] Buckeye hacking group to an information security company known as Boyusec which has long been working for  Chinese Ministry of State Security.

The latest investigation further provides first evidence proving how Chinese state-sponsored hackers managed to acquire some of the hacking tools, including EternalRomanceEternalSynergy, and DoublePulsar and used them before being exposed by Shadow Brokers whose alignment still remains unidentified.

As per the findings of the researchers the Chinese hackers, Buckeye used its custom exploit tool known as Bemstour to deliver a variant of DoublePulsar backdoor implant for secretly collecting information and run malicious code on the targeted computers.

Findings suggest that Benstour was designed to exploit two then-zero-day vulnerabilities (CVE-2019-0703 and CVE-2017-0143) in Windows to achieve remote kernel code execution on targeted computers. After finding the vulnerability in March 2017, Microsoft addressed the CVE-2017-0143.

Researchers also detected BuckEye’s hackers who were using a combination of the SMB exploit and the DoublePulsar backdoor to target telecommunications companies, scientific research and education institutions in Hong Kong, Luxembourg, Belgium, the Philippines, and Vietnam from March 2016 to August 2017.

Symantec identified that there’s a possibility that Buckeye may have captured the code from an NSA attack on their own computers and then reverse-engineered the malware to develop its own version of the tools.

It says:

ÔÇťOther less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye,” 

After the leaking of tools online, Buckeye apparently has ceased its operations as its three members were indicted in the United States in November 2017. But still there were reports that suggest Bemstour and DoublePulsar tools used by Buckeye continued to be used until late 2018 with various other malware.

The exposed tools were later reported to be used by North Korean hackers and Russian intelligence though connection is reflected with the former Chinese hacking group.