Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak

A Chinese threat actor known as APT31 likely acquired and cloned one of the Equation Group’s exploits three years before the targeted vulnerability was publicly exposed as part of Shadow Brokers’ “Lost in Translation” leak, cybersecurity firm Check Point says in a new report.

A Chinese threat actor known as APT31 likely acquired and cloned one of the Equation Group’s exploits three years before the targeted vulnerability was publicly exposed as part of Shadow Brokers’ “Lost in Translation” leak, cybersecurity firm Check Point says in a new report.

Tracked as CVE-2017-0005, the vulnerability was addressed by Microsoft in March 2017, after Lockheed Martin’s Computer Incident Response Team observed a possible attack against an American target and reported it to the Redmond-based tech giant.

Attributed to APT31, a Chinese hacking group also tracked as Zirconium, the exploit for this vulnerability is, in fact, the clone of an Equation Group exploit code-named “EpMe,” Check Point says.

Exploitation tools that the Equation Group had been using for years were made public in early 2017 by a mysterious group calling themselves Shadow Brokers. The Equation Group has been linked to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

The Shadow Brokers, which some believe was backed by Russia, claimed at the time to have obtained the tools after an intrusion into Equation Group’s systems. They released several series of exploits for free, but also attempted to monetize the data.

In March 2017, Microsoft patched CVE-2017-0005, a Windows local privilege escalation (LPE) vulnerability that had been actively exploited by a Chinese threat actor. Called Jian and attributed to APT31, the exploit for this vulnerability is now believed to be the clone of an Equation Group exploit that targeted the same security hole.

Dated 2013, the original exploit is codenamed EpMe, and is one of the 4 different LPE exploits (ElEi, ErNi, EpMe, and EpMo) in the Equation Group’s DanderSpritz attack framework that was publicly disclosed in April 2017. These exploits, however, did not receive the same coverage as Eternal Blue (ETBL), Eternal Romance (ETRO), and other tools leaked by Shadow Brokers.

A dive into the DanderSpritz attack framework revealed that two of the targeted vulnerabilities are old (ElEi was targeting CVE-2011-3402, while ErNi aimed at CVE-2013-3128), that one of them has no CVE identifier, despite being patched in March 2017 (EpMo), and that the fourth had been cloned by APT31 approximately three years before patching (EpMe targeted CVE-2017-0005).

Check Point’s security researchers discovered that, following the release of a patch for CVE-2017-0005, both the EpMe and the Jian exploits stopped working. While having two adversaries targeting the same security bug could be a coincidence, a comparison between the two exploits revealed code similarities, shared constants, and a completely identical memory layout.

Further analysis has revealed that the exploits contain artefacts specific to the Equation Group tools, suggesting that EpMe was the original exploit for CVE-2017-0005, Check Point says. APT31 was apparently able to capture the exploit and clone it in 2014 (Jian), and started using it roughly the same year, until the 2017 patch was released.

“To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called ‘EpMe’. This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets,” Check Point notes.

Related: Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”

Related: Chinese Hackers Used NSA Tool a Year Before Shadow Brokers Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.