According to reports by security firm Symantec, the US National Security Agency (NSA) has already lost hacking tools to a state-owned hacker group in 2016. The software comes from the fund of the NSA hacking department Equation Group. They are said to have been used by the Advanced Persistant Threat (APT) Buckeye, which is assigned to the Chinese Ministry of State Security, since 2016 against targets in Europe and Asia. In 2017 similar tools were released by the hacker group The Shadow Brokers.
Buckeye is said to have used the NSA backdoor Doublepulsar against targets in Hong Kong, Belgium, Luxembourg, Vietnam and the Philippines. There is no evidence that the US has been attacked by its intelligence programs, according to the report. Symantec suspects that the attackers believed that the US had either developed protective measures against the in-house tools or simply did not want to be exposed.
The Doublepulsar version used by Buckeye differed from the version published in April by The Shadow Brokers: they had newer versions of Windows and additional camouflage features, Symantec writes in the investigation. According to Symantec, the changes could well have come from the malware’s NSA authors.
China and the NSA tools
How Buckeye, which is also called Gothic Panda, Threat Group-0110 or simply APT3, before the leak by The Shadow Brokers could get to the NSA tools is unknown. Symantec speculates that Buckeye may have rebuilt the software from traces left by an NSA attack. But you could also simply come from a badly secured server of the Equation Group or have been lost in an attack.
The assignment of hacker attacks, especially to APTs, is a complex undertaking. Symantec assumes that it is the Chinese APT due to the combination of the NSA backdoor Doublepulsar with Buckeye’s typical malware such as Pirpi. Symantec has since the release of Buckeye by the US in 2017, no activity of the hacker group more, but the NSA malware has continued to be used. Symantec speculates that Buckeye has redistributed tools to another group in China or could continue to work with new tools
However, the case can also be seen as further evidence of the complexity of assigning attacks: if the attackers use stolen tools from other APTs or monitor hackers and take over their programs and attack techniques, this makes the assignment more difficult. This is usually based on clues such as the tools used, the timestamps in the software, the actions of the attackers or the agenda of the respective country.
Read More Stories: Armageddon 2027: Is there any salvation from asteroids?