Chinese hackers “cloned” and used a Windows zero-day exploit which was stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched.
Check Point Research (CPR) stated that the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by FireEye in 2015 and described as “one of the most sophisticated cyberattack groups in the world.”
Equation Group which was active since at least 2001, has been linked to the US intelligence agency’s Tailored Access Operations (TAO) unit.
The Shadow Brokers hacking group released tools and files belonging to Equation Group in 2017, some of which were used to exploit previously-unknown bugs in popular systems including Microsoft Windows.
In 2017, Microsoft also released a patch for CVE-2017-0005, a zero-day vulnerability in Windows XP to Windows 8 operating systems that could be used for privilege escalation and full system compromise.
Earlier it was believed that a tool created to exploit CVE-2017-0005 was done by a Chinese advanced persistent threat group (APT) dubbed APT3, also known as Zirconium.
Check Point now says that the tool, called Jian, was actually a clone of software used by Equation Group and was being actively utilized between 2014 and 2017 — years before the vulnerability was patched — and was not build by the Chinese threat actors.
Researchers discovered that Jian is a clone of “EpMe,” which was also included in the 2017 Shadow Brokers “Lost in Translation” leak and was “repurposed” to attack US citizens.
CPR stated that both exploit versions for APT31’s “Jian” or Equation Group’s “EpMe” are intended for elevating the privileges of the attacker in the local Windows environment. The tool is used after an attacker gains initial access to a target computer through zero-click vulnerability, phishing email etc. to give the attacker the highest available privileges, so they could do whatever they like on the already infected computer.
The team notes that Lockheed Martin reported CVE-2017-0005 to Microsoft and is considered to be the only vulnerability they had reported in recent years. It is possible that one of their clients, or even Lockheed Martin itself, was targeted by this actor.
It is believed that APT31 had obtained access to Equation Group’s exploit module — both 32- and 64-bit versions, which they might have captured during an Equation Group attack on a Chinese target. Or the tool may have been stolen while Equation Group was present on a network also being monitored by APT31 or during a direct attack by APT31 on Equation Group systems.
The investigation into Jian also exposed a module containing four privilege escalation exploits that were part of Equation Group’s DanderSpritz post-exploitation framework.
Two of the exploits EpMe and EpMo that dates back to 2013, were zero-day flaws. It was quietly patched in May 2017 by Microsoft as a follow-up fix in response to the Shadow Brokers leak but was not assigned a CVE. The remaining code names are EIEi and ErNi.
Image Credits : Business Tech