Chinese hackers used the hacking tools of the American intelligence agency to attack American targets

Chinese hackers “cloned” and used hacking tools for years, stealing from the US intelligence agency to attack Windows systems until Microsoft released an update for a previously unknown CVE-2017-0005 vulnerability in Windows.

On August 13, 2016, a hacker group calling itself “Shadow Brokers” announced that it had stolen malware and hacker tools used by the Equation group, which is believed to be affiliated with the US National Security Agency’s Tailored Access Operations (TAO) unit. (NSA).

However, researchers from the US-Israeli cyber security firm Check Point found evidence that this was not an isolated incident, and that the same tools were used by someone else before the Shadow Brokers group stole them from the NSA and published them.

It happened more than two years before the episode with Shadow Brokers, it is stated in report Check Point, and American hacker tools fell into the hands of Chinese hackers who then adapted them to attack American targets.

That is the case, for example 0-day exploit CVE-2017-0005, which Microsoft attributed to the Chinese APT31 group, also known as Zirconium, is in fact a replica of the Equation group’s “EpMe” exploit. “APT31 had access to EpMe files, both 32-bit and 64-bit versions, for more than two years before they were released by Shadow Brokers,” the report said.

The Equation group, as researchers from Kaspersky called it in February 2015, has been linked to a series of attacks involving “tens of thousands of victims”. The group has been operating since 2001, and some of the registered servers it used are from 1996. Kaspersky called the group “the crown creator of cyber espionage.”

Exploit CVE-2017-0005 was first noticed in March 2017, and it is an exploit for a vulnerability in the Win32k component of Windows, which allows you to increase privileges on Windows systems from Windows XP to Windows 8.

Check Point named the cloned version of the exploit, which until this discovery was believed to be the work of the Chinese APT31 group, “Jian” after a double-edged flat sword that has been used in China for centuries. Allegedly, Jian is a replica of the 2014 EpMe exploit that has been used for attacks since at least 2015, until Microsoft discovered the 2017 vulnerability.

Both versions, Jian and EpMe, serve the same purpose – attackers use them to gain initial access to the computer. These tools provide them with the highest available privileges on the system where they can then do “whatever they want”.

Researchers are not sure how Chinese hackers got to the EpMe exploit. It is possible that this happened during the Equation Group attack on a Chinese target or while the Equation Group was present in a network monitored by the APT31 group or during the APT31 attack on Equation Group systems.

APT31 is a state-owned hacker group that allegedly carries out “reconnaissance” attacks on the orders of the Chinese government, and specializes in the theft of intellectual property and collecting data to log in to accounts.

The Shadow Brokers group released more hacking tools in April 2017, the most famous being the EternalBlue exploit which was later used for ransomware infections WannaCry and NotPety which caused tens of billions of dollars in damage in 65 countries.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!