China-linked APT3 stole cyberweapons from the NSA and reverse engineered them to create its arsenal.

In 2010, security firm FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 which has also been described as TG-0100, Buckeye, Gothic Panda, and UPS and described them as “one of the most sophisticated threat groups” being tracked at the time.

Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong — and everyone has been trying to figure out who they are. APT3 functions very differently than 3LA, the former Chinese military hacking organization leading to the assumption that APT3 is not part of the military complex. At least not officially.

In May 2017, researchers at threat intelligence firm Record Future discovered a clear link between APT3 cyber threat group and China’s Ministry of State Security.

The APT3 has developed a collection of exploits and tools dubbed ‘UPSynergy,’ many of which appear to be based on malicious code belonging to the NSA’s Equation Group APT.

In May, experts from Symantec published a report that revealed that APT3 was using a tool attributed to the NSA-linked Equation Group more than one year prior to Shadow Brokers leak,

According to the experts, APT3 was able to acquire a variant of the NSA-developed EternalRomance prior to the Shadow Brokers leak of the NSA exploits in 2017.

How did APT3 obtain these tools and exploits?

Researchers from Check Point, with the intent of expanding Symantec’s research, conducted a deep analysis of the Bemstour exploitation tool used by the Equation Group APT. The researchers believe that APT3 developed its own version of an Equation group exploit by using captured network traffic.

“The threat group known as APT3 recreated its own version of an Equation group exploit using captured network traffic,” reads the analysis, published by Check Point. “We believe that this artifact was collected during an attack conducted by the Equation Group against a network monitored by APT3, allowing it to enhance its exploit arsenal with a fraction of the resources required to build the original tool…One possible modus operandi – the Chinese collect attack tools used against them, reverse-engineer and reconstruct them to create equally strong digital weapons.”

The experts discovered that APT3 developers were able to make a reverse engineering of the tool and improved it by adding an additional zero-day exploit.

The original version of EternalRomance targeted mostly Windows 7 systems, but a patch introduced in Windows 8 made it hard the exploitation in higher Windows versions.

The Equation Group solved this problem chaining the EternalRomance exploit to another exploit dubbed EternalChampion. The exploit chain was included in the EternalSynergy exploit code.

APT3 solved the same problem by using a new zero-day information leak exploit that integrated into the EternalRomance.

The APT3 leveraged on the zero-day flaw tracked as CVE-2019-0703, it is an information disclosure vulnerability that exists in the way the Windows SMB Server handles certain requests.

“The group attempted to develop the exploit in a way that allowed it to target more Windows versions, similar to what was done in a parallel Equation group exploit named EternalSynergy. This required looking for an additional 0-day that provided them with a kernel information leak. All of this activity suggests that the group was not exposed to an actual NSA exploitation tool, as they would then not need to create another 0-day exploit.” continues the analysis. “We decided to name APT3’s bundle of exploits UPSynergy, since, much like in the case of Equation group, it combines 2 different exploits to expand the support to newer operating systems.”

The EternalRomance exploit was used by both NSA and the APT3 group to deploy the DoublePulsar tool.

Check Point researchers noted that DoublePulsar was wrapped by both groups in different ways.

“If network traffic was indeed used by the group as a reference, the traffic was likely collected from a machine controlled by APT3,” state Check Point researchers. “This means either a Chinese machine that was targeted by the NSA and monitored by the group, or a machine compromised by the group beforehand on which foreign activity was noticed. We believe the former is more likely, and in that case could be made possible by capturing lateral movement within a victim network targeted by the Equation Group.”

Experts pointed out that the U.S. and China are apparently involved in a cyber-arms race to develop a new generation of cyber weapons.

Evidence collected by CheckPoint implies that both states have similar expertise.

“It’s not always clear how threat actors achieve their exploitation tools, and it’s commonly assumed that actors can conduct their own research and development or get it from a third party,” Check Point concludes. “In this case we have evidence to show that a third (but less common) scenario took place – one where attack artifacts of a rival (i.e. Equation Group) were used as the basis and inspiration for establishing in-house offensive capabilities by APT3.”

Further technical details, including IoCs, are reported in the analysis published by Check Point.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT3, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]