Posted on February 28, 2021 at 7:03 PM
Chinese hackers have been discovered cloning a used Windows zero-day exploits they stole from NSA’s Equation group to attack Americans.
Researchers at CheckPoint Research (CPR) revealed that the hijacked tool was a “clone” of software developed by the US National Security Agency (NSA). Kaspersky’s security team discovered the hacking syndicate back in 2015 and noted they were one of the most sophisticated cybercriminal groups in the world at the time.
The vulnerability was initially discovered by the incidence response team of Lockheed Martin before it was later detailed by Microsoft in 2017, according to Check Point.
The hacking tool was a cloned software from the Equation Group
Equation group is believed to have been active since 2001 and has been linked to the Tailored Access Operation (TAO) unit, a US cyber intelligence agency.
The Shadow Brokers hacking syndicate revealed hacking files and tools developed by the Equation group in 2017. Some of the tools were utilized to infiltrate new vulnerabilities in several systems, such as Microsoft Windows. As a result, the vendors issued some emergency updates and patches to ensure the exploit tools are rendered useless.
Later in 2017, Microsoft a zero-day vulnerability patch from Windows XP to Windows 8 OS CVE-2017-0005, which could be utilized for privilege escalation.
Initially, researchers thought that the exploit was developed by the Chinese APT31 advanced persistent threat group called Zirconium.
But CheckPoint researchers found out that the tool, named Jian, was in fact a cloned software from the Equation Group used from 2014 to 2017.
The cloned tool was used and cloned even before a patch for the vulnerability was developed.
Tools used for elevating the attacker’s privileges
Both the Equation Group’s “EpMe” and the APT31’s Jian are primarily used for elevating the attacker’s privileges in the local windows environment. The tool is utilized to give the threat actor access to a target computer through a phishing email or zero-click vulnerability.
With this privilege, they can “roam free” and carry out any exploitation activity they choose. Lockheed Martin already reported the CVE-2017-0005 vulnerability to Microsoft, but the tech giant said the vulnerability is an unusual bug within its server.
The company said the vulnerability is the only one to have been reported in recent years. Check Point added that the actors may have targeted Lockheed Martin itself or one of their clients.
However, Check Point now says that the tool, called Jian, was actually a clone of software used by Equation Group and was being actively utilized between 2014 and 2017 — years before the vulnerability was patched — and was not a custom build by the Chinese threat actors.
The Jian hacking tool was a “replica” of EpMe, the windows tool used for hacking and linked with the Equation group.
Hackers may have acquired exploit from a Chinese target
The researchers also said APT31 had accessed the exploit module of the Equation Group, including the 64-bit and 32-bit versions.
However, it’s not clear how the Chinese APT was able to have access to the exploit, but some pieces of evidence show it may have been acquired during an Equation Group attack on a Chinese target.
Another scenario is the hackers may have stolen the exploit while the Equation Group was active on a network observed by APT31.
The investigation also revealed a module that contains four escalation exploits connected to the post-exploitation framework of the Equation Group’s DanderSpritz.
The research also showed that two of the four exploits were zero-days. But Microsoft patched one of the flaws named EpMe the same year while responding to the Shadow Brokers exploit. The other zero-day vulnerability was the more critical EpMe vulnerability. The other exploits are the Erni and AIEI vulnerabilities, which are relatively unknown in the cybersecurity space.
This is not the first that the Chinese APT group has been linked with the theft and repurposing of Equation Group tools. In 2019, the “Buckeye” APT3 was connected to attacks with the Equation Group tools before the Shadow Brokers hacking incident.
Although Buckeye went disappeared in 2017, its tools were still seen in the wild. It’s not clear which hacking group inherited the tools and in what areas they have been applied.