Chinese Hackers Copy NSA Hacking Software, Use It To Attack US Allies…(6…)

by Tyler Durden
ZeroHedge.com
Tue, 05/07/2019

A Chinese hacking group considered to be the “most dangerous” by the NSA stole, copied, or reverse engineered the agency’s own hacking software – then use it against American allies and private companies in Europe and Asia during 2016 attacks, according to researchers with Symantec.

The Chinese hacking group that co-opted the N.S.A.’s tools is considered by the agency’s analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo reviewed by The New York Times. The group is responsible for numerous attacks on some of the most sensitive defense targets inside the United States, including space, satellite and nuclear propulsion technology makers. -New York Times

The swiped software (Backdoor.Doublepulsar) and its “custom exploit tool” installation software (Trojan.Bemstour) infects a computer’s memory, and remains even if DoublePulsar is removed. According to Symantec, these tools were used by the Chinese hacking group in 2016 (and shortly after leaked to the public by a group calling itself the Shadow Brokers).

Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers. One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec. The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak.

The zero-day vulnerability allows for the leaking of information and can be exploited in conjunction with other vulnerabilities to attain remote kernel code execution. It was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019. -Symantec

Of note – the hackers never used a ‘framework’ tool specifically designed to manage DouplePulsar and other NSA hacking tools, suggesting that the Chinese “only managed to gain access to a limited number of Equation Group tools.”

Symantec identifies the NSA hackers as the “Equation Group,” while the Chinese hackers are known as the “Buckeye group” – identified by the Department of Justice and several cybersecurity firms as a Chinese Ministry of State Security contrator based in Guangzhou. According to Symantec, Buckeye is also known as Advanced Persistent Threat (ATP3) and other names such as Gothic Panda.

The Rest…HERE

This entry was posted on Tuesday, May 7th, 2019 at 1:48 pm and is filed under China, Technology, Terror. You can follow any responses to this entry through the RSS 2.0 feed.