Chinese hackers "cloned" and used for years a zero-day exploit of Windows stolen from the NSA Equation Group, researchers say.
On Monday, Check Point Research (CPR) said the Jian tool was a "clone" of software developed by the US National Security Agency (NSA) Equation Group.
The hacking team Shadow Brokers released tools and files belonging to the Equation Group in 2017, some of which were used to exploit bugs on popular systems, including Microsoft Windows - forcing them suppliers to issue an urgent patch and fixes to make the tools useless.
Initially, it was thought that a tool created for the exploit of CVE-2017-0005 was the work of a Chinese advanced APT team called APT31, also known as Zirconium.
However, Check Point now says that the tool, called Jian, was actually a software clone used by Equation Group and was actively used from 2014 to 2017 - years before the vulnerability was fixed - and was not a custom version by the Chinese threatening agents.
According to researchers, Jian is a clone of "EpMe".
The APT31 team is believed to have gained access to the Equation Group exploit module - 32- and 64-bit versions - with researchers unsure of how access was obtained from the Chinese APT.
The Jian search also revealed a module containing four privilege scaling exploits that was part of the Equation Group DanderSpritz framework.
Two of the exploits in the framework, dating back to 2013, were zero-day defects. One of the exploits was EpMe, while another, called "EpMo", seems to have been fixed since May 2017 by Microsoft.
This is not the only example of a Chinese APT stealing and repositioning Equation Group tools. In another case documented by Symantec in 2019, APT3 "Buckeye" was linked to attacks using Equation Group tools in 2016, before the Shadow Brokers leaked.
While Buckeye appeared to be disbanding in mid-2017, the tools were in use until 2018 - but it is not known if they were transferred to another team.
Source of information: zdnet.com