China-linked group used NSA hacking tools before they leaked – Axios

Background: The Shadow Brokers leaked tools from the NSA's vaunted "Equation Group" starting in the summer of 2016 and continuing through 2017.

• The tools were particularly potent; some of them were used in the devastating global NotPetya and WannaCry cyberattacks, both of which caused billions of dollars in damages.
• But in March 2016, well before the the Shadow Brokers released a tool called "Double Pulsar," a group known alternately as Gothic Panda, APT 3 and Buckeye (the name Symantec uses) had already started using the tool in its own malware.
• Buckeye appeared to go silent in 2017 after the Department of Justice indicted three operatives.

Details: Symantec does not attribute Buckeye to China. However, the U.S. and other private cybersecurity companies do.

• The attacks from Buckeye also incorporated another security flaw exploited by the NSA toolkit without using the specific code, as well as a never before seen security vulnerability in Microsoft Windows, which Microsoft patched last month.
• The attacks targeted telecommunications, education, research and scientific outfits in Belgium, Luxembourg, Hong Kong, Vietnam and the Philippines.
• The Buckeye tools continued to be used into 2018. That means Buckeye either lasted longer than previously thought or handed off its tools to others.

The Shadow Brokers and Buckeye appear to have obtained different versions of DoublePulsar.