A Chinese group of hackers managed to get hold of cyber weapons from the U.S. National Security Agency’s arsenal of digital weapons and were using them as far back as 2016.
Researchers at American cybersecurity giant Symantec claimed in a reportreleased Tuesday that a group dubbed Buckeye had used a pair of tools called “Bemstour” and “DoublePulsar,” which exploited weaknesses in Microsoft Windows, back in March 2016. Symantec didn’t name Buckeye as a Chinese espionage unit, but U.S. government and private industry have previously tied the group to China’s intelligence apparatus.
A year later, a group calling itself the Shadow Brokers started releasing versions of tools from a cyber-espionage operator called the Equation Group, which was swiftly revealed to be the NSA. The identity and provenance of the Shadow Brokers remains a mystery.
The researchers were unable to say just how Buckeye stole from the NSA a year before the public Shadow Brokers leak. It could be that the hackers witnessed an NSA attack on a network and put the “artefacts” left on infected computers back together to re-create the American intelligence agency’s tools. “Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye,” Symantec wrote.
The Chinese embassy hadn’t responded to a request for comment at the time of publication.
Orla Cox, Symantec’s director of security response at Symantec, said the revelations should act as a warning for intelligence agencies that freely using digital tools could backfire. “Anyone—from individuals, organizations, or nation-states—offensively using tools such as backdoors, vulnerabilities or exploits should consider there is no guarantee your tools won’t be leaked and used against you,” she told Forbes.
Where’d Buckeye go?
Buckeye disappeared from view in 2017, and not long after that, the U.S. indicted three members of the group, claiming they’d hacked into three companies—Moody’s Analytics, Trimble and Siemens—to steal troves of sensitive data and trade secrets.
Buckeye’s first known use of its stolen NSA tools occurred on March 31. 2016, when an attack was launched in Hong Kong. Later that day, the group used the same cyber weapon on an educational institution in Belgium. Over the next year, further hacks were launched in Luxembourg, the Philippines and Vietnam.
Though researchers haven’t detected any recent Buckeye activity, the pilfered digital tools were used up until at least September 2018, Symantec said, though it’s unclear by whom. And development of Bemstour—the malware that installed the DoublePulsar backdoor on Windows computers—has continued up to March 2019. That could suggest the weapons were passed on to another Chinese unit.
Cox told Forbes there was no obvious collaboration between Buckeye and the Shadow Brokers. Buckeye only had access to a limited number of the Equation Group tools that were later dumped online by the Shadow Brokers. For instance, Buckeye hadn’t used software called FuzzBunch, which was used to manage DoublePulsar and Bemstour. “It seems unlikely that Shadow Brokers would give them DoublePulsar and not give them FuzzBunch,” Cox added.
Buckeye was one of the more prolific Chinese cyber units up until 2017. Cox noted it was active since at least 2009, “when it began mounting a string of espionage attacks, mainly against organizations based in the U.S.”
Another Chinese government-linked unit, APT10, eclipsed Buckeye in recent months after the U.S. alleged in December 2018 that the group had raided at least 45 tech companies and government bodies.
Relations between the Chinese and the Americans remain tense. The war over Huawei rumbles on, with the company facing charges in the U.S. of stealing trade secrets from a rival telecoms company. And this weekend, President Trump threatened China with more tariffs on Chinese goods entering the country.