A Symantec blog post (opens in new tab) this week revealed that China’s “Buckeye” espionage group was using NSA’s Double Pulsar and Eternal Blue exploit at least a year before the Shadow Brokers group leaked the tools to the public. Symantec believes that the Buckeye group may have been able to study NSA’s tools during an attack launched by the NSA, after which it was able to build its own version of those tools.
Buckeye Espionage Operations
According to Symantec, the Buckeye espionage group stole information by targeting telecommunications, R&D and education institutions from Hong Kong, Belgium, Luxembourg and some Asian countries. Buckeye used a variant of DoublePulsar delivered via a custom exploit tool called “Bemstour,” which was specifically designed to install DoublePulsar.
Bemstour exploits two Windows vulnerabilities in order to be able to achieve remote kernel code execution on a victim’s machine. One of them (CVE-2019-0703 (opens in new tab)) is a zero-day vulnerability that was discovered by Symantec. The security company reported it to Microsoft in September 2018, and Microsoft patched it in March 2019. Eleven days after Microsoft patched the vulnerability, Symantec saw yet another sample of Bemstour in the wild.
The second vulnerability (CVE-2017-0143 (opens in new tab)) used by Buckeye and patched by Microsoft in March 2017 was also used by two NSA exploit tools, EternalRomance and EternalSynergy, as it was revealed in the Shadow Brokers leak.
Another security vendor told Symantec privately that the Buckeye group made use of another malware, called Filensfer, in conjunction with another known Buckeye-created backdoor called Pirpi.
Use Of NSA Tools by Hacking Groups Spreads
According to Symantec, the Buckeye group activity stopped by mid-2017. A few months later, in November 2017, three alleged members of the group were indicted by the U.S. government. Although the group activity ended, the tools it leveraged were continued to be used by others in conjunction with other malware for at least another year, until September 2018.
The Shadow Brokers group leaked the NSA tools in April 2017. Since then, multiple cyber criminal groups have incorporated them into their hacking toolsets with devastating effectiveness. Symantec believes the Buckeye group never had access to the full set of NSA exploit tools prior to the Shadow Brokers making them public.
That another espionage/hacking group gained access to NSA’s hacking tools simply by watching a live NSA attack is another example of why creating backdoors for the "good guys” (assuming the NSA represents the good guys here, for the sake of the argument) will never work in the real world, as all types of hackers will eventually get their hands on the same backdoors or hacking tools.
Thanks to the NSA’s hubris (called out by Microsoft, too), some of the most dangerous cybercriminal groups in the world now have access to top-quality and highly sophisticated hacking tools that can potentially be used to harm millions for many years to come.