Feb 22 2021

NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Category: APT,Cyber Espionage,Cybercrime,HackingDISC @ 10:51 am

The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group.

Check Point Research teamĀ discovered that China-linkedĀ APT31Ā group (akaĀ Zirconium.) used a tool dubbed Jian, which is a clone ofĀ NSA Equation GroupĀ ā€˜s ā€œEpMeā€ hacking tool years before it was leaked online by Shadow Brokers hackers.

In 2015, Kaspersky first spotted the NSA Equation Group, it revealed it was operating since at least 2001 and targeted almost any industry with  sophisticated zero-day malware.

The arsenal of the hacking crew included sophisticated tools that requested a significant effort in terms of development, Kaspersky speculated the Equation Group has also interacted with operators behind Stuxnet and Flame malware. 

Based on the evidence collected on the various cyber espionage campaigns over the years, Kaspersky experts hypothesize that the National Security Agency (NSA) is linked to the Equation Group.

Jian used the same Windows zero-day exploit that was stolen from the NSA Equation Group ā€˜s arsenal for years before it was addressed by the IT giant. 

In 2017, the Shadow Brokers hacking group released a collection of hacking tools allegedly stolen from the US NSA, most of them exploited zero-day flaws in popular software.

One of these zero-day flaws, tracked asĀ CVE-2017-0005, was a privileged escalation issue that affected Windows XP to Windows 8 operating systems,

ā€œIn this blog we show that CVE-2017-0005, a Windows Local-Privilege-Escalation (LPE) vulnerability that was attributed to aĀ Chinese APT, was replicated based on anĀ Equation GroupĀ exploit for the same vulnerability that the APT was able to access.ā€ reads theĀ analysisĀ published by CheckPoint. ā€œā€œEpMeā€, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. EpMe dates back to at least 2013 ā€“ four years before APT31 was caught exploiting this vulnerability in the wild.ā€

Source: NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Tags: Chinese hackers, NSA Equation Group tool, Spy war, Tiger trap