This week started with appalling news when the security firm Check Point on Monday confirmed that they’ve found evidence to prove that the hacking tool uncovered in the 2017 Shadow Brokers’ leak had already been exploited by Chinese hackers for years before the leak. The report says that the Chinese hackers’ group APT31 or Zirconium cloned the EpMe code to create their own version of the tool called Jian.
EpMe was created in 2013 by the Equation Group associated with NSA as a Windows zero-day bug, tracked as CVE-2017-1005 to escalate privilege on affected devices. Due to the Local Privilege Escalation (LPE) bug, one could escalate Windows user privilege after gaining access to the affected devices. EpMe software from NSA’s Equation Group was first identified by the security firm Kaspersky in the year 2015 who called it ‘one of the most sophisticated cyber-attack groups in the world’
Jian, the dual-edged sword of Chinese hackers
The Chinese Hackers built their own tool using the EpMe code which was exploited from 2014 to March 2017, when the vulnerability was finally patched by Microsoft. Check Point has named the tool built by Chinese Hackers as ‘Jian’, from the traditional Chinese double-edged sword. The tool finally came to light when the Shadow Brokers group leaked it publicly on the Internet in April of 2017.
In the past, it has been claimed that the tool used in the Shadow Brokers’ leak primarily targeted US-citizens. This means that the Chinese Hackers used an exploit from the US to target US citizens, much like a dual-edged sword.
The researchers at Check Point have pointed out that ‘the case of Jian clearly showed that it used both 32-bits and 64-bits versions of the Equation Group exploit. This would mean that the Chinese APT acquired the binary exploit samples in all their supported versions.’ Just like EpMe, Jian too was intended at escalating the attacker’s privileges to the highest possible on the affected device, once the attacker gains access via either a zero-click vulnerability, a phishing email or any other method.
The researchers at Check Point say that the APT31 hackers might have gotten their hands on the Equation Group exploit in one of the following ways –
- They captured it while the Equation Group network was operating on a Chinese target.
- They captured it when the Equation Group was operating on a third-party network that was also being monitored by the Chinese APT.
- The Chinese APT captured it amidst an attack on the Equation Group Infrastructure.
The report uncovered more exploits
While investigating Jian, the Check Point researchers uncovered a module that contained four escalation privilege exploits. These exploits were a part of the DanderSpritz post-exploitation framework by the Equation Group.
Among these 4 exploits, they detected 2 zero-day flaws that dated back to the year 2013. One of these two was EpMe while the other one was dubbed as EpMo. EpMo was presumably patched up by Microsoft quietly during May 2017 as a follow-up fix while responding to the Shadow Brokers leak, though it wasn’t assigned a specific CVE.
This wasn’t the first instance!
Though shocking, this wasn’t the first time that Chinese hackers had cloned an American hacking tool. The first known incidence of this was when the Equation Group’s EternalRomance exploit was acquired by APT3 and used to create UPSynergy or EternalSynergy. But in this scenario, the researchers agree that the hackers reconstructed the exploit from captured network traffic.
Another documented instance was that by Symantec in 2019 when APT3 or ‘Buckeye’ was linked to attacks using Equation Group’s tools in the year 2017, prior to the Shadow Brokers leak. Though it was presumed that Buckeye was dissolved by mid-2017, the tools were still in use till 2018, though it is still unknown if they were passed or not or by whom.
The Jian tool discovery has raised questions about how intelligence agencies are handling their zero-day hacking tools. The current report from Check Point also proved to be a reminder of how one APT can use the tools of another APT to help their own motives. It has also revealed the true complexity of such attacks which makes it highly arduous for security professionals to perform the accurate attributions of these attacks.