Chinese hackers were using NSA malware a year before Shadow Brokers leak

Hacker group used a unique version of the DoublePulsar backdoor, not the one released by the Shadow Brokers.
Written by Catalin Cimpanu, Contributor

A Chinese cyber-espionage group had used NSA malware more than a year before the Shadow Brokers leaked the same exploits online, exposing them to the whole world, according to US cyber-security firm Symantec.

The group --tracked by cyber-security vendors under names such as Buckeye, APT3, Gothic Panda, TG-011, and UPS-- is infamous after US authorities charged three hackers in late 2017.

The US alleged that the three men were behind a cyber-security company named Boyusec that was acting as a front for the Chinese Ministry of State Security and had hacked western companies such as Moody's Analytics, Siemens, and Trimble.

The group was considered advanced among the spectrum of Chinese-based and government-backed APTs (advanced persistent threats), having access to its own custom tools and zero-days.

Buckeye group used DoublePulsar backdoor since 2016

However, in a report released yesterday, Symantec said it discovered evidence that the same group had also used NSA-developed malware long before the same malware became widely available to anyone.

Per a graphic released by Symantec, the Buckeye group had used a version of the DoublePulsar backdoor since March 2016, more than 13 months before a mysterious group of hackers known as the Shadow Brokers leaked it online in April 2017, as part of a larger cache of NSA hacking tools.

Timeline of Buckeye using DoublePulsar
Image: Symantec

The US security vendor said it did not see the group use other NSA-linked malware, such as the FuzzBunch framework, the normal tool that NSA's cyber operatives were using to deploy the DoublePulsar backdoor on infected hosts.

Instead, the Chinese group used its own tool called Bemstour.

But there's also a twist. Symantec researchers said that the DoublePulsar version used by Buckeye was different from the one leaked by the Shadow Brokers, suggesting a different origin.

"It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware," Symantec said. "It also includes an additional layer of obfuscation."

Group had actively used the NSA malware in attacks

As for how the Chinese hackers were using this version of DoublePulsar, it appears that they never understood the malware's full capabilities.

Symantec said the Buckeye group "typically used [DoublePulsar] to execute shell commands that created new user accounts," without realizing the tool's advanced stealth features that DoublePulsar possessed, and which would have allowed the hackers to carry out many more other operations that would have all stayed hidden.

The group used DoublePulsar only in a few attacks, suggesting that they didn't trust it as well as their own tools. Symantec reported seeing this version of DoublePulsar in attacks against organizations in Belgium, Luxembourg, Vietnam, Hong Kong, and the Philippines --usually for information theft.

March 2016September 2016April 2017June 2017June 2017August 2017
Hong Kong, Belgium Hong Kong
Luxembourg Philippines Vietnam
Backdoor.Pirpi Unknown
Backdoor.Filensfer Unknown Unknown
Bemstour Exploit Tool (V1) Bemstour Exploit Tool (V2) Shadow Brokers Leak Bemstour Exploit Tool (V1) Bemstour Exploit Tool (V1 & V2) Bemstour Exploit Tool (V2)
DoublePulsar DoublePulsar (32-bit) or custom payload only (64-bit)
DoublePulsar DoublePulsar (32-bit) or custom payload only (64-bit) DoublePulsar (32-bit) or custom payload only (64-bit)
Buckeye attacks
Image: Symantec

The Buckeye group stopped using their version of the DoublePulsar backdoor in mid-2017 after other leaked NSA tools (such as the EternalBlue exploit) had garnered international fame after being used in some of the world's biggest cyber-incidents, such as the WannaCry and NotPetya ransomware outbreaks

This was likely done because by that point, most cyber-security vendors were capable of detecting DoublePulsar infections, and using their version of DoublePulsar became inefficient.

How did the Chinese get access to NSA malware?

But the biggest mystery remains how a Chinese hacker group got their hands on the DoublePulsar backdoor.

The theory that both Symantec and the vast majority of the infosec community favors is that the Buckeye group found the backdoor deployed by the NSA on Chinese systems, and simply re-purposed it for their attacks.

This explains the different DoublePulsar version that Chinese hackers were using, when compared to the one leaked by the Shadow Brokers a year later, most likely coming from another source.

8 impressive Chinese smartphones you've never heard of

Related malware and cybercrime coverage:

Editorial standards