Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak

A Chinese threat actor known as APT31 likely acquired and cloned one of the Equation Group’s exploits three years before the targeted vulnerability was publicly exposed as part of Shadow Brokers’ “Lost in Translation” leak, cybersecurity firm Check Point says in a new report.

Tracked as CVE-2017-0005, the vulnerability was addressed by Microsoft in March 2017, after Lockheed Martin’s Computer Incident Response Team observed a possible attack against an American target and reported it to the Redmond-based tech giant.

Attributed to APT31, a Chinese hacking group also tracked as Zirconium, the exploit for this vulnerability is, in fact, the clone of an Equation Group exploit code-named “EpMe,” Check Point says.

Exploitation tools that the Equation Group had been using for years were made public in early 2017 by a mysterious group calling themselves Shadow Brokers. The Equation Group has been linked to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

The Shadow Brokers, which some believe was backed by Russia, claimed at the time to have obtained the tools after an intrusion into Equation Group’s systems. They released several series of exploits for free, but also attempted to monetize the data.

In March 2017, Microsoft patched CVE-2017-0005, a Windows local privilege escalation (LPE) vulnerability that had been actively exploited by a Chinese threat actor. Called Jian and attributed to APT31, the exploit for this vulnerability is now believed to be the clone of an Equation Group exploit that targeted the same security hole.

Dated 2013, the original exploit is codenamed EpMe, and is one of the 4 different LPE exploits (ElEi, ErNi, EpMe, and EpMo) in the Equation Group’s DanderSpritz attack framework that was publicly disclosed in April 2017. These exploits, however, did not receive the same coverage as Eternal Blue (ETBL), Eternal Romance (ETRO), and other tools leaked by Shadow Brokers.

A dive into the DanderSpritz attack framework revealed that two of the targeted vulnerabilities are old (ElEi was targeting CVE-2011-3402, while ErNi aimed at CVE-2013-3128), that one of them has no CVE identifier, despite being patched in March 2017 (EpMo), and that the fourth had been cloned by APT31 approximately three years before patching (EpMe targeted CVE-2017-0005).

Check Point’s security researchers discovered that, following the release of a patch for CVE-2017-0005, both the EpMe and the Jian exploits stopped working. While having two adversaries targeting the same security bug could be a coincidence, a comparison between the two exploits revealed code similarities, shared constants, and a completely identical memory layout.

Further analysis has revealed that the exploits contain artefacts specific to the Equation Group tools, suggesting that EpMe was the original exploit for CVE-2017-0005, Check Point says. APT31 was apparently able to capture the exploit and clone it in 2014 (Jian), and started using it roughly the same year, until the 2017 patch was released.

“To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called ‘EpMe’. This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets,” Check Point notes.

Related: Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”

Related: Chinese Hackers Used NSA Tool a Year Before Shadow Brokers Leak