Chinese Hackers Hijacked NSA-Linked Hacking Tool: Report

china hack APT41

APT31, a Chinese-affiliated threat group, copied a Microsoft Windows exploit previously used by the Equation Group, said researchers.

New research has found evidence that a Chinese-affiliated threat group (APT31) has hijacked a hacking tool previously used by the Equation Group (which has been tied to the U.S. National Security Agency, or NSA).

The tool in question, dubbed “Jian,” is used to exploit a local privilege-escalation (LPE) flaw in Windows, known as CVE-2017-0005. The exploit was previously discovered and linked to APT31. However, new research by Check Point Research, released Monday, found that APT31 had actually stolen – and copied – the exploit from the Equation Group.

In another twist, researchers say the exploit was in use by APT31 in 2014, years before the ShadowBrokers leak in 2017, which leaked a cache of exploits that belonged to the Equation Group.

Download the podcast here or listen to the episode below.

“Although we don’t show any conclusive evidence that there is there any connection between China and the ShadowBrokers, we do show conclusive evidence that this Chinese group had in their possession a tool that was made by Equation Group, and not only that they had this tool, but they also repurposed it and used it, probably to attack many targets, including American targets,” Yaniv Balmas, head of cyber research with Check Point Software, said.

Balmas, along with Oded Vanunu, the head of products vulnerability research with Check Point Software, talk on this week’s Threatpost podcast about the new discoveries around the NSA-linked exploit tools, as well as the implications of the SolarWinds supply-chain hack.

Below is a lightly-edited transcript of the podcast.

Lindsey Welch: Welcome to the Threatpost podcast. This is Lindsey Welch with Threatpost. I’m joined today by Yaniv Balmas, the head of cyber research with Check Point Software and Oded Vanunu, the head of products vulnerability research with Check Point Software. Thank you both for joining me today just as Check Point kicks off its CPX 360 Americas conference. Exciting times.

Yaniv Balmas: Nice to be here.

Oded Vanunu: Hey.

LW: Right, well, just to start today Check Point released new research doing a deep dive into how APT31, which is a Chinese-affiliated attack group, cloned and actively used a cyber offensive tool code from the Equation Group. Just to start, can you talk about kind of the biggest takeaways from this research and really give some context into what these big takeaways were.

YB: Right so, I think everyone remembers the case with the ShadowBrokers. And their famous leak that happened around 2017. Leading to WannaCry, and many other attacks that actually we still see today. And that used some of the Equation Group’s famous exploits like EternalBlue. And from many perspectives, even me personally, before we started this research, this was the end of the story. So you know, it was a mysterious group. They wanted to sell some tools online, they didn’t manage to sell them, they leaked them. And what happened is what happened, Microsoft patched everything, case closed, story over. But what we show today shows or maybe sheds a different light on this on this story.

Timeline of the events detailing the story of Jian. Credit: Check Point Research

And although we don’t show any conclusive evidence that you know, there is there any connection between China and the Shadow Brokers, however, we do show conclusive evidence that this Chinese group had in their possession, a tool that was made by Equation Group, and not only that they had this tool, but they also repurposed it and used it, probably to attack many targets, including American targets. Because one of the reported incidents was reported to Microsoft by Lockheed Martin’s Incident Response Team.

So we can’t say for sure if Lockheed Martin themselves were the target or not. But I guess this suggests that this group was targeting some American targets at least, I think it’s a pretty interesting development in this story, and it shows how cyber tools can be – sometimes they can be a good thing, sometimes they can be a double-edged sword – which is basically what [exploit tool] “Jian” is, it is a Chinese double-edged sword.

APT31 Stealing Equation Group Exploit Tools

LW: Yeah, that’s really interesting. And just out of curiosity, how do you hypothesize that these Equation Group exploit samples could have been acquired by APT31? I know you talk a little bit about it in your research.

YB: Yeah, so that’s a point that we don’t have any evidence for. However, there are several assumptions. And some of them we can rule out, based on our research. And some still remain open. So the ones that remain open, and the ones that we think are most probable are: One, it is possible, for example, that the Equation Group attacked some Chinese target. And this Chinese target was controlled by this Chinese group. For example, they had an incident response team, they managed to find the bridge, get ahold of the tools, and they took them and reverse engineered them, and repurposed them. So that’s one scenario.

Another possible scenario is that this Chinese group hacked into the Equation Group –  I think it’s less probable, but still, it is a possibility. Another scenario might be that Equation Group used distant servers, so third-party servers, in order to conduct their attacks and maybe those servers were controlled by the Chinese as well.

Also, the last scenario that I can say – this is something that history shows us that actually happens – is that this scenario can happen when both of these groups attack the same target. So they both attack the same target, they are both present on the same target. And once the Equation Group tries to use something on this target, the Chinese group immediately sees that, captures the tools, and you know the story from there.

CVE-2017-0005: Local Privilege Escalation Windows Flaw

LW: Right, right. And just for context, can you tell us a little bit about the tool itself, as being an exploit for the Windows LPE flaw, CVE-2017-0005? Can you talk a little bit just about how that exploit was being deployed? And are these two clone samples the exact same? Do they work or operate differently or were they being deployed differently at all?

YB: Right, so yeah, as you mentioned, that exploit itself is exploiting LPE, which means local privilege escalation. This kind of exploit or vulnerability is usually used as a second stage in an attack. So the common scenario is that you attack some targets, and you get a foothold in it. However, you still don’t have enough permissions, you can’t really do whatever you want on this target. And in order to do that, you need a second exploit. And this is an LPE exploit that you need. So they are very commonly used within offensive operations. So that’s a bit about the nature of the vulnerability itself. Regarding the exploitation and the tools that we see, they are actually pretty interesting, because the Equation Group tool that – by the way, it was leaked as part of the official ShadowBroker leak, so we can see it – it’s actually part of a bigger infrastructure that was made by the Equation Group. This infrastructure is referred to as DanderSpritz. That’s the name, they gave it. By the way, one of the things that we found interesting is that this specific vulnerability wasn’t actually talked about a lot in the research community. It seems like it was forgotten probably because it was so big, that probably some pieces of it still remain, you know, unanalyzed. So that was interesting to see. By the way, it shows that it’s always good to revisit all the leaks and all the vulnerabilities. And as I mentioned, the exploit was part of this module. So it actually contains parts that are not directly related to the vulnerability itself, they’re kind of part of this big framework.

And that’s interesting, because the Chinese tool that we got is using; first of all, it’s exploiting exactly the same vulnerability. And what we see is that the Chinese exploit is different. It’s kind of a Chinese copy of this exploit. Why do I say that? Because it contains a lot of things that were part of this framework, of the DanderSpritz framework. The Chinese group used it as a standalone tool. So it’s actually very conclusive evidence that this tool was actually copied from this American tool. So it’s pretty interesting to see that.

I think the American tool seems to be much more mature, much more elegant in the way it’s written. And the Chinese tool is really more of a copy of that. When you look at it, it seems like, they didn’t know exactly what they were doing. And they were afraid to change some things. And we didn’t know if they are related or not related. So it’s much more fragile. It looks much less elegant. But I think the bottom line is the most important thing is that it works. And it works really well.

Solar Winds Supply-Chain Attack: How it Will Change the Cybersecurity Landscape

LW: Right, right. Well, that’s this is really interesting research and I know too also during CPX, that you will be discussing Sunburst, which is, you know, the malware installed on SolarWinds’ Orion product line and the SolarWinds supply chain attack, and really how that is influencing supply-chain attacks in the future and kind of what’s to come there. So can you either of you talk a little bit more about Sunburst and SolarWinds and really what you’ve seen there from your perspective?

OV: Yes, of course. So as I started to discuss it, me and Yaniv had a lot of discussion about Sunburst – and we both define it as one of the biggest events in the cybersecurity industry ever, and I think that this is just the tip of the iceberg. With this attack, the entire industry learned a lot and I think that a lot of things will be changed in the way of how we protect things, and how we trust third parties. This is something that will change a lot of the concept.

Microsoft SolarWinds cyberattack victim breakdown. Credit: Microsoft

So, basically, a supply-chain attack is an attack that you choose a target and this target, you find it as secure and hard to attack. And then when you have this kind of condition, you are looking for what we call a supply-chain attack, and you find someone that provides services – in our case, it can be a software services – and this target is less secure and an easier way to access your target.

And supply-chain attacks are not something new, we saw that on Target and NotPetya that were active in the last few years. And but in the case of SolarWinds, it seems that the attack or the initiation of the attack was to achieve what we call high-volume vendors. And we know that SolarWinds customers or most of their customers are Fortune 500 companies and just to think that FireEye was the one that identify the SolarWinds attack after like, almost nine months, after there was like a some kind of code change in SolarWind’s code repository. It just gives us the sense of the size of this attack, and how much we don’t know about this attack.

LW:Yeah, definitely. It is such a massive hack. I mean, I’m curious, either Oded or Yuniv what your thoughts are, on what implications this has, either for companies, Oded you mentioned Fortune 500 companies being affected by this. Obviously government agencies in the U.S., security vendors — How do you see the implications of this running as we kind of look to the future?

The Future of Supply-Chain Attacks

YB: You know, first of all, as Oded said before, I think this is one of the most dramatic and biggest advance that I think both of us ever saw, and we’ve been in this field for the past, I don’t know, 20 years, something like that.

So it’s really something very dramatic. And in the amount of targets that they were able to get into is simply astonishing. And I think we still don’t know the full path and what it means. And I think we’ll slowly find it out during the next few months or a few years.

For me, personally, what I find most disturbing is that, you know, this thing was kind of caught by mistake, I think you can you can you can clearly say that. I mean, it could have easily gone under the radar if FireEye wouldn’t have caught it on their networks, if they wouldn’t have done so, we wouldn’t be having this talk and, you know, think about it, all of this would have happened without anyone knowing about it. And I think for me, that’s the most scary thing about this thing, how many of these attacks go on unnoticed.

OV: Just to emphasize, Yaniv, what you said, which is like, so dramatic; in this case FireEye, the trigger for their investigation was that they saw a second phone number registered for one of their employees. That was like the trigger, that was the abnormality that was like breaking and from this point, that was the beginning of investigating Sunburst, just because they saw that there is another phone number registered for their employees, because this is a violation, a policy violation that other employees have only one phone connected for their second factor authentication. And it’s, the scale and the sophistication, it’s dramatic on all levels.

SolarWinds: How to Mitigate Against Future Attacks

LW: Right. And with such small clues like that, and such this high level of sophistication, what can companies do in the future to try to prevent something like this from happening again, or amping up their detection methods? Or, you know, what really can we do to prevent another SolarWinds from happening?

YB: It’s a really hard question, to answer. And I think it’s something that most organizations around the world are still debating and thinking about, and trying to understand. If you have SolarWinds installed, if you don’t have SolarWinds installed, I think everyone should consider himself as being the target of this and look under every rock in your network. In fact, think about, what will they do next time? How would I be able to detect it? How would I be able to prevent it? There are so many ways and so many possibilities. I don’t think it’s fair to ask anyone, to give any conclusive solution for this, in such a short time, I think we need more time to understand I think we need to be more aware of this, I think we need to strengthen our defenses. I think we need to prepare the right procedures for this. And I see it in Check Point, I see it in other places as well, I think we’re going this way. And I think at the end of the day… the security community, and the world will get out of it stronger and better and more secure.

OV: And in my perspective, to continue what Yaniv said. So in general, organizations when they define security of their assets, they’re usually defined what is like critical business and what is less critical business. And the subjects of supply chain was something that was raised in the last few years. But the specific subject of software update supply chain was something that was like, in the side, it was still a trusted domain, it was still a place. That organizations didn’t do dramatic security change in terms of like they were more trusting their software vendors with their updates. I think that starting from Sunburst scares, this agenda, this lookout is going to change. It means that you will not trust software updates anymore, and there should be more security consideration on these phases in my opinion.

LW: Right, well, I will be very curious to see how things change in the future. And those are those are really good points. So Yuniv, Oded, thank you so much for joining me today on the Threatpost podcast to discuss Check Point’s new research, as well as your perspectives on the SolarWinds supply-chain attack.

OV, YB: Thank you very much.

LW: To all of our listeners. Thank you for tuning in to the Threatpost podcast this week.

Want more in-depth security interviews and infosec insights? Check out our podcast microsite, where we go beyond the headlines on the latest news.

Suggested articles