Chinese threat actors “cloned” and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched, researchers say.
On Monday, Check Point Research (CPR) said the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by Kaspersky in 2015 and described as “one of the most sophisticated cyberattack groups in the world.”
Thought to be active since at least 2001, Equation Group has since been linked to the US intelligence agency’s Tailored Access Operations (TAO) unit.
The Shadow Brokers hacking group released tools and files belonging to Equation Group in 2017, some of which were used to exploit previously-unknown bugs in popular systems including Microsoft Windows — forcing vendors to issue a flurry of emergency patches and fixes to render the exploit tools useless.
In the same year, Microsoft released a patch for CVE-2017-0005, a zero-day vulnerability in Windows XP to Windows 8 operating systems that could be used for privilege escalation and full system compromise.
Originally, it was thought that a tool created to exploit CVE-2017-0005 was the work of a Chinese advanced persistent threat group (APT) dubbed APT31, also known as Zirconium.
However, Check Point now says that the tool, called Jian, was actually a clone of software used by Equation Group and was being actively utilized between 2014 and 2017 — years before the vulnerability was patched — and was not a custom build by the Chinese threat actors.
According to the researchers, Jian is a clone of “EpMe,” which was also included in the 2017 Shadow Brokers “Lost in Translation” leak and was “repurposed” to attack US citizens.
“Both exploit versions for APT31’s “Jian” or Equation Group’s “EpMe” are intended for […] elevating the privileges of the attacker in the local Windows environment,” CPR says. “The tool is used after an attacker gains initial access to a target computer — say, via zero-click vulnerability, phishing email, or any other option — to give the attacker the highest available privileges, so they could “roam free” and do whatever they like on the already infected computer.”
The team notes that Lockheed Martin reported CVE-2017-0005 to Microsoft, which they say is a “rather unusual” footnote in the investigation.
“To our knowledge, this is the only vulnerability they [Lockheed Martin] reported in recent years,” Check Point says. “It is possible that one of their clients, or even Lockheed Martin itself, was targeted by this actor.”
It is believed that APT31 had obtained access to Equation Group’s exploit module — both 32- and 64-bit versions, and while the cybersecurity researchers cannot be sure how the exploit was acquired by the Chinese APT, it may have been captured during an Equation Group attack on a Chinese target. Alternatively, the tool may have been stolen while Equation Group was present on a network also being monitored by APT31 or during a direct attack by APT31 on Equation Group systems.
The investigation into Jian also exposed a module containing four privilege escalation exploits that were part of Equation Group’s DanderSpritz post-exploitation framework.
Two of the exploits in the framework, dating back to 2013, were zero-day flaws. One of the exploits was EpMe, whereas another, dubbed “EpMo,” appears to have been quietly patched in May 2017 by Microsoft as a follow-up fix in response to the Shadow Brokers leak but was not assigned a CVE. The remaining code names are EIEi and ErNi.
This is not the only example of a Chinese APT stealing and repurposing Equation Group tools. In another case documented by Symantec in 2019, APT3 “Buckeye” was linked to attacks using Equation Group tools in 2016, prior to the Shadow Brokers leak.
While Buckeye appeared to dissolve in mid-2017, the tools were used until 2018 — but it is not known whether or not they were passed on, or to whom.
Update 17.55 GMT: A Lockheed Martin spokesperson told ZDNet:
“Our cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties. Leveraging our Intelligence Driven Defense approach, we have responsibly reported more than 100 zero-day vulnerabilities to multiple vendors over the past six years.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0