China-linked APT3 group developed NSA-style hacking tools by observing their network traffic

Chinese state-linked hacking group APT3 acquired access to US National Security Agency (NSA) malware after observing the exploit being used in the wild. And this occurred well before the ‘Shadow Brokers' leaks of NSA malware in 2016 and 2017.

According to a new analysis by security specialists at Check Point Software, which claims that APT3 "recreated its own version of an Equation group exploit using captured network traffic", but which was instead equipped with a zero-day security flaw targeting the Windows operating system.

Check Point's research follows on from an investigation conducted by rival Symantec earlier this year, which indicated how APT3 had been observed apparently using one of the NSA tools leaked by Shadow Brokers before the leaks actually occurred.

Western security groups, including Check Point, Symantec, Intrusion Truth and Recorded Future all concur that APT3 is a front behind which sits the Chinese Ministry of State Security. However, it hasn't been clear whether the group developed its exploits in-house or acquired them elsewhere.

The exploit tool observed in-use by Symantec was given the name Bemstour. It makes use of a variant of one Equation Group (associated with the NSA) exploit, related to Equation Group's EternalRomance exploit, leaked by Shadow Brokers.

"The group attempted to develop the exploit in a way that allowed it to target more Windows versions, similar to what was done in a parallel Equation group exploit named EternalSynergy. This required looking for an additional 0-day that provided them with a kernel information leak," Check Point explains.

The implication, it adds, is that APT3 wasn't directly exposed to any NSA exploit tool, since it deployed its own zero-day in order to infiltrate systems.

It continues: "The underlying SMB [data] packets used throughout the tool execution were crafted manually by the developers, rather than generated using a third-party library.

"As a lot of these packets were assigned with hard-coded and seemingly arbitrary data, as well as the existence of other unique hard-coded SMB artefacts, we can assume that the developers were trying to recreate the exploit based on previously recorded traffic."

This network traffic would have been collected from a machine controlled by APT3. "This means either a Chinese machine that was targeted by the NSA and monitored by the group, or a machine compromised by the group beforehand, on which foreign activity was noticed.

"We believe the former is more likely, and in that case could be made possible by capturing lateral movement within a victim network targeted by the Equation group."

Both the NSA and China-linked hackers, of course, were engaged in an arms race to identify and develop exploits based on security flaws in the SMB network protocol integrated with Windows.

However, while providing a detailed technical rundown of its working out, Check Point also admits that it cannot prove that APT3 got hold of NSA hacking tools in this way "beyond any doubt".

Following the release of the various Shadow Brokers/NSA hacking tools, Microsoft rushed to patch the security flaws in its implementation of the SMB protocol.

Comments are closed.