In 2017, a group of hackers identified as Shadow Brokers leaked a set of the most sophisticated hacking tools developed by the U.S. National Security Agency (NSA); cybersecurity specialists point out that these tools were later used in NotPetya and WannaCry attack campaigns, which are two variants of highly aggressive malware that crippled operations in hundreds of companies around the world.
Recently, cybersecurity experts reported that two of the hacking tools most leaked by Shadow Brokers had already been used in some cyberattacks occurred in March 2016, a year before Shadow Brokers leaked them.
According to the reports, Buckeye, another group of hackers active at least since 2010, managed to access a variant of the “DoublePulsar” backdoor, developed by the NSA; the group also got an exploit to install the backdoor remotely. As expected, this incident has spawned a new wave of criticism against the NSA.
Cybersecurity specialists consider that this kind of incidents have to force the NSA to rethink its software management policy, as it is a common practice between NSA officials and developers to privately store multiple exploits and other confidential tools.
It is still unknown how this group of hackers got access to these tools, although experts believe that it is possible that Buckeye resorted to the use of reverse engineering in one of the attacks that the NSA practiced on its own infrastructure.
Security features in newer versions of Windows force threat actors to exploit two different vulnerabilities in order to install the DoublePulsar backdoor. With the NSA tools, both the agency and the hackers began exploiting the vulnerability CVE-2017-0143 to corrupt Windows memory and then exploit another flaw to disclose the design of the attacked system’s memory.
According to the experts from the International Institute of Cyber Security (IICS), first Buckeye’s attack incident using the NSA tools was registered on March 31, 2016 against a target in Hong Kong. After installing the backdoor, a secondary load was installed to ensure persistence in the system no matter what a restart occurred and DoublePulsar stopped running.