On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).

Although the group has since signed off following the unprecedented disclosures, new "conclusive" evidence unearthed by Check Point Research shows that this was not an isolated incident.

The previously undocumented cyber-theft took place more than two years before the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to attack U.S. targets.

"The caught-in-the-wild exploit of CVE-2017-0005, a zero-day attributed by Microsoft to the Chinese APT31 (aka Zirconium), is in fact a replica of an Equation Group exploit codenamed 'EpMe,'" Check Point researchers Eyal Itkin and Itay Cohen said. "APT31 had access to EpMe's files, both their 32-bits and 64-bits versions, more than two years before the Shadow Brokers leak."

The Equation Group, so-called by researchers from cybersecurity firm Kaspersky in February 2015, has been linked to a string of attacks affecting "tens of thousands of victims" as early as 2001, with some of the registered command-and-control servers dating back to 1996. Kaspersky called the group the "crown creator of cyberespionage."

An Unknown Privilege Escalation Exploit

First revealed in March 2017, CVE-2017-0005 is a security vulnerability in the Windows Win32k component that could potentially allow elevation of privileges (EoP) in systems running Windows XP and up to Windows 8. The flaw was reported to Microsoft by Lockheed Martin's Computer Incident Response Team.

Check Point has named the cloned variant "Jian" after a double-edged straight sword used in China during the last 2,500 years, referencing its origins as an attack tool developed by the Equation Group that was then weaponized to serve as a "double-edged sword" to attack U.S. entities.

Timeline of the events detailing the story of EpMe / Jian / CVE-2017-0005

Jian is said to have been replicated in 2014 and put in operation since at least 2015 until the underlying flaw was patched by Microsoft in 2017.

APT31, a state-sponsored hacking collective, is alleged to conduct reconnaissance operations at the behest of the Chinese Government, specializing in intellectual property theft and credential harvesting, with recent campaigns targeting U.S. election staff with spear-phishing emails containing links that would download a Python-based implant hosted on GitHub, allowing an attacker to upload and download files as well as execute arbitrary commands.

Stating that the DanderSpritz post-exploitation framework contained four different Windows EoP modules, two of which were zero-days at the time of its development in 2013, Check Point said one of the zero-days — dubbed "EpMo" — was silently patched by Microsoft "with no apparent CVE-ID" in May 2017 in response to the Shadow Brokers leak. EpMe was the other zero-day.

DanderSpritz was among the several exploit tools leaked by the Shadow Breakers on April 14, 2017, under a dispatch titled "Lost in Translation." The leak is best known for publishing the EternalBlue exploit that would later power the WannaCry and NotPetya ransomware infections that caused tens of billions of dollars' worth of damage in over 65 countries.

This is the first time a new Equation Group exploit has come to light despite EpMo's source code being publicly accessible on GitHub since the leak almost four years ago.

For its part, EpMo was deployed in machines running Windows 2000 to Windows Server 2008 R2 by exploiting a NULL-Deref vulnerability in Graphics Device Interface's (GDI) User Mode Print Driver (UMPD) component.

Jian and EpMe Overlap

"On top of our analysis of both the Equation Group and APT31 exploits, the EpMe exploit aligns perfectly with the details reported in Microsoft's blog on CVE-2017-0005," the researchers noted. "And if that wasn't enough, the exploit indeed stopped working after Microsoft's March 2017 patch, the patch that addressed the said vulnerability."

Apart from this overlap, both EpMe and Jian have been found to share an identical memory layout and the same hard-coded constants, lending credence to the fact that one of the exploits was most probably copied from the other, or that both parties were inspired by an unknown third-party.

But so far, there are no clues alluding to the latter, the researchers said.

Interestingly, while EpMe didn't support Windows 2000, Check Point's analysis uncovered Jian to have "special cases" for the platform, raising the possibility that APT31 copied the exploit from the Equation Group at some point in 2014, before tweaking it to suit their needs and ultimately deploying the new version against targets, including Lockheed Martin.

That Jian, a zero-day exploit previously attributed to APT31, is actually a cyber offensive tool created by the Equation Group for the same vulnerability signifies the importance of attribution for both strategic and tactical decision making.

"Even though 'Jian' was caught and analyzed by Microsoft at the beginning of 2017, and even though the Shadow Brokers leak exposed Equation Group's tools almost four years ago, there is still a lot one can learn from analyzing these past events," Cohen said.

"The mere fact that an entire exploitation module, containing four different exploits, was just lying around unnoticed for four years on GitHub, teaches us about the enormity of the leak around Equation Group tools."