It’s the enemies you don’t see coming who are the most dangerous.
The mysterious Shadow Brokers cyber crime crew, which taunted the National Security Agency (NSA) after stealing and then dumping online some of its most guarded hacking secrets in 2017, aren’t the U.S. spy bunker’s worst nemesis, Symantec security researchers said in a new report. That honor actually belongs to the now dormant, state-backed Chinese Ministry of State Security contract hackers, which it refers to as Buckeye (aka APT3, Gothic Panda).
A year earlier, Chinese (Buckeye) cyber spies recovered hacking tools used by the NSA in a 2016 attack on its systems and reverse engineered the code to hit targets in Europe and Asia, Symantec said, including sites in Belgium, Luxembourg, Hong Kong, Vietnam and the Philippines. Favorite industries included telecom, science, IT and education. It was intellectual property they wanted, the report said. Buckeye dates back to 2009, when it began a string of espionage attacks, mainly against organizations based in the U.S. Based on the timing of the attacks and clues in the computer code, Symantec’s researchers concluded that the Chinese hackers didn’t steal the code but instead lifted it from an NSA attack on their own computers.
Symantec Research Findings
Researchers with Symantec’s security investigation team said Buckeye began using a backdoor called DoublePulsar as early as March, 2016. It was among a number of exploit tools subsequently released by the Shadow Brokers gang in 2017. Buckeye, however, had been using some of the leaked tools a year earlier. There's no evidence that the two hacking groups have ever been linked, Symantec said.
There are a number of unanswered questions about how Buckeye obtained NSA hacking tools before the Shadow Brokers leak. One version is that Buckeye “engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an attack,” Symantec suggested. Or perhaps Buckeye obtained the tools by infiltrating a poorly secured Equation Group server.
Either way, according to Symantec some of the tools the Shadow Brokers subsequently leaked publicly belonged to the Equation Group, tied to the Tailored Access Operations unit of the NSA. In other words, Buckeye turned the tables on the NSA. One of the tools, referred to as Eternal Blue, launched the destructive WannaCry ransomware attack that disabled organizations worldwide a year ago.
At one point, the Shadow Brokers offered a subscription service to monthly data dumps of the agency’s hacker tools and began selling the code to Russian and North Korean antagonists, who subsequently used the code in the Maersk shipping cyber attack, the Merck infection and an assault against the Ukraine’s critical infrastructure. A number of those tools originated with the Buckeye group.
“We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies,” Eric Chien, a Symantec security director, told the New York Times. He suggested the new normal is to assume your code will be reworked and used against you by those who you’ve targeted. “The whole security industry publishes information every day on information gathered from attacks," Chien told Dark Reading. "People should have already realized that … if you are conducting some cyber-offensive operation, those things could come back against you."
In the wider view, the Buckeye and Shadow Broker leaks raise concerns over whether U.S. intelligence can maintain “some of the world’s most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key,” the New York Times report said.