• Getting down to the details—how it all happened
• Rise of the global cyber-warfare
• Jian and EpMe—similarities and differences
• In a nutshell
• Final words

A Chinese group of hackers, popular as “The Shadow Brokers” first became public back in 2016 when they admitted to having stolen sensitive tools from the National Security Agency or the NSA.

However, as Check Point, an American-Israeli security agency recently revealed, there is evidence that there may have been a lot more to the picture. According to Check Point, there is a high chance that there were other threat actors who had access to some of the tools and exploits before they were officially released.

Sources state that this undocumented incident of cyber-theft took place around 2014—two years before ‘The Shadow Brokers’ came into the limelight. This resulted in powerful American cyber tools landing right into the hands of a Chinese threat actor and getting repurposed to use to take down American targets—a representative from Check Point stated in a comprehensive case report.

According to the report, a Chinese group called APT31 (alternatively known as Judgement Panda and Zirconium) accessed ‘EpMe’, a cyber offensive tool code created by the Equation Group—a group of highly skilled hackers that is a part of the NSA.

Nicknamed ‘Jian’, (a double-edged sword in China) by Check Point, the Chinese version of the tool ‘EpMe’ was used from 2015 through 2017, to exploit a local-privilege escalation (LPE) flaw in Windows, (also known as CVE-2017-0005) until Microsoft found and fixed the vulnerability. The exploit by APT31 consisted of 4 “windows privilege escalation” exploits—which would generally give hackers deeper access to a network they had already infiltrated.

Getting down to the details—how it all happened

The computer incident response team operating under Lockheed Martin first picked up on the exploit. It is because of the fact that most of Martin’s customers are based in the United States that Check Point came to the conclusion that the targets of any criminal activity regarding this incident were most likely to be American.

It is still not clear exactly how access to NSA tools was acquired; however, there are theories that suggest the EpMe malware being used against China on the command of The Equation Group may have presented an opportunity.

An alternative theory by Check Point offers the possibility of it being stolen from a third-party server that was used by The Equation Group to store it.

Finally, there is one more theory that suggests that the code to EpMe was directly taken from the network by APT31.

Even though the theories do make sense, none of them are particularly encouraging as it appears that the tool was either stolen from the American hackers as they attacked China, or Chinese hackers had managed to gain illegal access to an institute renowned for its high-level security.

Rise of the global cyber-warfare

As a state-sponsored hacking collective, APT31 is theorized to carry out probes and investigative operations for the Chinese government. Back in October of 2020, the same group was also linked to a phishing campaign related to the US Presidential elections.

The exploit consisted of the group trying to get campaign staffers to download a new version of anti-virus software, which, once download would infect their devices. Not to forget, there were also cyber attacks on SolarWinds and FireEyes only last year, the setback and losses from which are yet to be fully calculated. However, several experts agree that these attacks may have been from Russia.

Researchers studying the recent APT31 revelation conclude that the EpMe exploit does align fully with the specifics detailed in Microsoft’s blog on CVE-2017-0005. After studying the analysis of both, the Equation Group and the two incidents, experts also agree that the exploit did stop working in 2017 when Microsoft released a new patch addressing the vulnerability.

Jian and EpMe—similarities and differences

As analyzed, both the original tool (EpMe), and the cloned variant ‘Jian’ share the same memory layout and hard coded constants, suggesting that one of the two was either copied off of the other or both tools were inspired by a third-party tool.

An interesting fact is that even though EpMe originally did not support Windows 2000, Jian was found to come backed up with case scenarios that would support the new windows version, pointing to the possibility of the tool having been copied from the Equation Group in 2014 before and an updated clone was created to go after American targets.

To take the case forward, a source well-acquainted with Lockheed Martin’s research and analysis reported that the Windows vulnerability was detected on an unknown third-party’s network, operating as part of a threat-monitoring service.

In a nutshell

To summarize the series of events, here are the major findings:

1. The 0-Day, caught-in-the-wild exploit of the LPE, attributed to the Chinese APT31 (Judgement Panda or Zirconium), was theorized to be a close replica of an Equation Group exploit code: “EpMe.”
2. Analysis reports found that the APT31 had access to both 32-bit and 64-bit versions of EpMe files more than 2 years prior to the Shadow Brokers leak in 2016.
3. The Chinese group replicated EpMe to form “Jian”-along with some updates, which was used until Microsoft released a patch to fix the vulnerability in 2017.
4. Lockheed Martin’s Computer Incident Response Team reported the exploit to Microsoft and hinted that it could have been used to take down American targets.
5. The EpMe framework dates back to 2013 and consists of four LPE exploits—out of which, two were 0-Days when the framework was developed.
6. Out of the two 0-Days in the framework, one, named: EpMo was yet to be released publically and was patched up by Microsoft in 2017. Reports say that this was in response to the leak linked to Shadow Brokers.

Image Source

Final words

Even though the events have been disturbing, this is not the first time that NSA’s security network has been infiltrated by hackers. In 2019, another Chinese hacking group known as APT3 was reported to have repurposed a technical backdoor linked to NSA to gain access to telecom and media sectors.

However, analysts suggest that the threat actors involved in this attack may have engineered their own version of tools from the scraps that were found in the network after observing an attack by the Equation Group.

The fact that Jian, a tool that was previously attributed to the APT13, is one of the tools created by the Equation Group for a similar vulnerability emphasizes the importance of strategic thinking and decision making.

Regardless of the fact that Jian was discovered and analyzed back in 2017 by Microsoft, and the Shadow Brokers leaked the stolen tools more than four years ago, there is a lot that needs to be learned from the two incidents.

Nonetheless, the most important point to note would be the fact that an entire module, containing four exploits was sitting on GitHub for four years before it was noticed—and that it should speak volumes about the graveness of the Equation Group tools leak.