• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 

China-linked group Salt Typhoon breached satellite firm Viasat

 | 

Iran experienced a near-total national internet blackout

 | 

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

 | 

Healthcare services company Episource data breach impacts 5.4 Million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Malware
  • China-linked APT3 was able to modify stolen NSA cyberweapons

China-linked APT3 was able to modify stolen NSA cyberweapons

Pierluigi Paganini September 09, 2019

China-linked APT3 stole cyberweapons from the NSA and reverse engineered them to create its arsenal.

In 2010, security firm FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 which has also been described as TG-0100, Buckeye, Gothic Panda, and UPS and described them as “one of the most sophisticated threat groups” being tracked at the time.

Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong — and everyone has been trying to figure out who they are. APT3 functions very differently than 3LA, the former Chinese military hacking organization leading to the assumption that APT3 is not part of the military complex. At least not officially.

In May 2017, researchers at threat intelligence firm Record Future discovered a clear link between APT3 cyber threat group and China’s Ministry of State Security.

The APT3 has developed a collection of exploits and tools dubbed ‘UPSynergy,’ many of which appear to be based on malicious code belonging to the NSA’s Equation Group APT.

In May, experts from Symantec published a report that revealed that APT3 was using a tool attributed to the NSA-linked Equation Group more than one year prior to Shadow Brokers leak,

According to the experts, APT3 was able to acquire a variant of the NSA-developed EternalRomance prior to the Shadow Brokers leak of the NSA exploits in 2017.

How did APT3 obtain these tools and exploits?

Researchers from Check Point, with the intent of expanding Symantec’s research, conducted a deep analysis of the Bemstour exploitation tool used by the Equation Group APT. The researchers believe that APT3 developed its own version of an Equation group exploit by using captured network traffic.

“The threat group known as APT3 recreated its own version of an Equation group exploit using captured network traffic,” reads the analysis, published by Check Point. “We believe that this artifact was collected during an attack conducted by the Equation Group against a network monitored by APT3, allowing it to enhance its exploit arsenal with a fraction of the resources required to build the original tool…One possible modus operandi – the Chinese collect attack tools used against them, reverse-engineer and reconstruct them to create equally strong digital weapons.”

The experts discovered that APT3 developers were able to make a reverse engineering of the tool and improved it by adding an additional zero-day exploit.

The original version of EternalRomance targeted mostly Windows 7 systems, but a patch introduced in Windows 8 made it hard the exploitation in higher Windows versions.

The Equation Group solved this problem chaining the EternalRomance exploit to another exploit dubbed EternalChampion. The exploit chain was included in the EternalSynergy exploit code.

APT3 solved the same problem by using a new zero-day information leak exploit that integrated into the EternalRomance.

The APT3 leveraged on the zero-day flaw tracked as CVE-2019-0703, it is an information disclosure vulnerability that exists in the way the Windows SMB Server handles certain requests.

“The group attempted to develop the exploit in a way that allowed it to target more Windows versions, similar to what was done in a parallel Equation group exploit named EternalSynergy. This required looking for an additional 0-day that provided them with a kernel information leak. All of this activity suggests that the group was not exposed to an actual NSA exploitation tool, as they would then not need to create another 0-day exploit.” continues the analysis. “We decided to name APT3’s bundle of exploits UPSynergy, since, much like in the case of Equation group, it combines 2 different exploits to expand the support to newer operating systems.”

The EternalRomance exploit was used by both NSA and the APT3 group to deploy the DoublePulsar tool.

Check Point researchers noted that DoublePulsar was wrapped by both groups in different ways.

“If network traffic was indeed used by the group as a reference, the traffic was likely collected from a machine controlled by APT3,” state Check Point researchers. “This means either a Chinese machine that was targeted by the NSA and monitored by the group, or a machine compromised by the group beforehand on which foreign activity was noticed. We believe the former is more likely, and in that case could be made possible by capturing lateral movement within a victim network targeted by the Equation Group.”

Experts pointed out that the U.S. and China are apparently involved in a cyber-arms race to develop a new generation of cyber weapons.

Evidence collected by CheckPoint implies that both states have similar expertise.

“It’s not always clear how threat actors achieve their exploitation tools, and it’s commonly assumed that actors can conduct their own research and development or get it from a third party,” Check Point concludes. “In this case we have evidence to show that a third (but less common) scenario took place – one where attack artifacts of a rival (i.e. Equation Group) were used as the basis and inspiration for establishing in-house offensive capabilities by APT3.”

Further technical details, including IoCs, are reported in the analysis published by Check Point.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT3, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Bemstour China Equation group Hacking hacking news malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini June 24, 2025
The U.S. House banned WhatsApp on government devices due to security concerns
Read more
Pierluigi Paganini June 24, 2025
Russia-linked APT28 use Signal chats to target Ukraine official with malware
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    The U.S. House banned WhatsApp on government devices due to security concerns

    Mobile / June 24, 2025

    Russia-linked APT28 use Signal chats to target Ukraine official with malware

    APT / June 24, 2025

    China-linked APT Salt Typhoon targets Canadian Telecom companies

    APT / June 24, 2025

    U.S. warns of incoming cyber threats following Iran airstrikes

    Cyber warfare / June 24, 2025

    McLaren Health Care data breach impacted over 743,000 people

    Data Breach / June 23, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT