One of the hacking tools published by Shadow Brokers had previously been copied by Chinese hackers years ago.
In 2017, the mysterious group Shadow Brokers released part of the cyber arsenal of the NSA, aka Equation Group. This action has the effect of ridiculing the US agency and lays the foundation for a global cyberattack that would do hundreds of millions of dollars in damage: WannaCry.
It s Now it turns out that a tool from this arsenal had already leaked several years before to be recovered by the Chinese hackers of the APT group31. This is indeed what just revealed thesecurity researchers at Check Point. In March 2017, Microsoft released a fix for an elevation of privilege vulnerability (CVE-2017-0005) that was exploited by malware called "Jian" found in Lockheed Martin networks. This malware has been attributed by Microsoft to the Chinese group APT31 alias Zirconium.
Also to discover in video:
Also available in video:
By comparing this malware with that of EpMe, which was part of the stolen NSA arsenal, Check Point researchers are finding many similarities. Not only do the two malicious codes exploit the same flaw, they also share certain characteristic elements. They define the same constants, and use the same way to manipulate memorybuffer. The researchers conclude that one must be the copy of the other. Due to several inconsistencies in the Chinese malware code, Check Point researchers believe the US code to be the original. “Somewhere in 2014, APT31 successfully captured the 32-bit and 64-bit samples of the EpMe Equation Group exploit. They replicated them to build Jian (…) ”, they conclude.
How the Chinese were able to get EpMe ? Two scenarios are possible: Either they were able to recover a copy during an attack on a targetChinese or on a target controlled by Chinese hackers. Either they managed to hack an NSA server. Either way, it's not very glorious for the American agency.
Source : Check Point