On Monday, revelations made by the security firm Check Point state that APT31, a Chinese group also known as Zirconium or Judgement Panda, is responsible for illegally gaining access to EpMe, a Windows hacking tool by the Equation Group. The Chinese group used the tool created by the security industry that is a part of NSA.
Back in 2014, the Chinese group built a hacking tool of their own from EpMe code, built in the year 2013 and the following tool was later named as “Jian” or “double edged sword” by the Check Point. The tool was in use by the Chinese group after a vulnerability that it attacked was patched by Microsoft.
All of this concludes that APT31 could access the tool as a means of “privilege escalation” exploitation. This allows a hacker to access deeper, making use of their foothold in a victim network before the Shadow Broker leaks in the years 2016 and 2017.
Earlier, Check Point made speculations about the hacking tool being used by the Chinese hackers in some way against the US. It was as early as 2017, when Lockhead Martin found out China’s utilisation of the hacking technique.
Back in 2018, Symantec had reported another such case, wherein the Chinese repurposed NSA hacking tool/ systems. This time it was the EternalBlue and EternalRomance, a powerful Windows zero day vulnerability. The Chinese had observed the agency’s network communications and went on to reverse the techniques engineered by them, to give way to their own hacking tool.
“The Chinese exploit copied some part of the code, and in some cases they seem like they didn’t really understand what they copied and what it does,” says Check Point researcher Itay Cohen.
Jake Williams who is a founder of Rendition Infosec and also a former NSA hacker, says that CheckPoint reconstructed the concerned code’s history as it looked at compile times which have a possibility of being fake. There’s also a probability of having overlooked a significant sample responsible for determining the origin of the tool and that could serve details upon the tool later being taken by NSA or any other possible third hacker group. “I think they have a field-of-view bias by saying this was definitely stolen from NSA,” Williams says. “But for whatever it’s worth, if you forced me to put money on who had it first, I’d say NSA.”
Check Point speculate the Chinese having laid there hands on the tool by gaining access to the EpMe malware from a network used by the Equation Group which is of Chinese origin, via a third party server where Equation Group would have stored it for utilising it against targets without naming their origin, even if it belongs to Equation Group’s own network, that is, inside NSA.
When the Check Point went ahead to look for one of the fingerprints’ origin, they got surprising results.”When we got the results, we were in shock,” says Cohen. “We saw that this was not only the same exploit (Shadow Brokers Leak), but when we analyzed the binary we found that the Chinese version is a replica of the Equation Group exploit from 2013.”