Chinese cybercriminals clone hacking tools created by the NSA

A hacking group sponsored by the Chinese government would have managed to copy and use a zero-day exploit for Windows systems originally developed by Equation Group, a specialized hacking team within the National Security Agency (NSA). Equation Group is one of the most sophisticated hacking efforts in the world, cybersecurity specialists say.

Equation Group has been active since the early 21st century, and has been linked to many of the most important hacking incidents sponsored by governments. In 2017, the Shadow Brokers hacking group leaked some of the most advanced tools used by Equation Group, many of which have been used to exploit dangerous flaws in Windows and other operating systems, forcing developers to release emergency updates.

An example of this is the release of a patch for CVE-2017-0005, a zero-day flaw in Windows XP exploited with a tool called Jian, which would have put the entire system at risk. Although it was initially believed that this exploit would have been developed by a hacking group known as Zirconium, experts demonstrated that it was a cloned tool of an Equation Group development employed multiple times by the NSA.

The tool copied by malicious hackers is EpMe, creating Equation Group to perform privilege escalation attacks on Windows systems: “After a first stage of attack, hackers use Jian or EpMe to obtain administrator privileges on vulnerable devices, completely controlling the victim’s devices,” the experts mention.

While there is not a single theory to explain how Chinese hacking groups accessed the tools developed by Equation Group, many experts agree that this could have happened during an NSA campaign against adverse Asian organizations or from advanced monitoring campaigns.

Experts added that one of Jian’s modules has four privilege escalation exploits apparently copied from the SanderSpritz post-exploitation framework, also developed by Equation Group.

This is not the first time a Chinese hacking group has been discovered using tools stolen from Equation Group. In 2019 it was reported that the hacker group known as Buckeye maintained advanced malicious campaigns using exploits developed by the NSA, extending its attacks from 2016 to 2018, demonstrating that even U.S. government intelligence agencies can become targeted by the world’s most dangerous cybercriminals. To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.