A symantec blog post this week revealed that China's spy group Buckeye used the NSA's "Double Pulsar" and "Eternal Blue" exploit at least a year before the Shadow Brokers group was released. Symantec believes that Buckeye may also have been able to examine the NSA's tools during an NSA attack, allowing it to develop its own version of those tools.
According to Symantec, Buckeye stole information by gaining access to telecommunications, R&D and educational institutions from Hong Kong, Belgium, Luxembourg and some Asian countries. Buckeye used a variant of DoublePulsar, which was delivered via a special exploit tool called "Bemstour", which was specially developed for the installation of DoublePulsar.
Bemstour exploits two Windows vulnerabilities to achieve remote execution of kernel code on the victim's machine. One of them (CVE-2019-0703) is a zero-day vulnerability discovered by Symantec. The security company did not report the leak to Microsoft until September 2018, which patched it in March 2019. Eleven days after Microsoft fixed the vulnerability, Symantec discovered another variant of "Bemstour" in circulation.
The second vulnerability (CVE-2017-0143) used by Buckeye and patched by Microsoft in March 2017 was also used by two special NSA exploit tools, "EternalRomance" and "EternalSynergy," as published in the Shadow Brokers leak. Another security provider also told Symantec that the Buckeye Group had used another malware called "Filensfer" in conjunction with another well-known back door created by Buckey called "Pirpi."
Using NSA Tools by Hacking Group Spreads
According to Symantec, Buckeye's activity was discontinued in mid-2017. A few months later, in November 2017, three suspected members of the group were indicted by the US government. Although the group's activity has ended, the tools it uses have been used by other hackers in conjunction with other malware for at least another year, until September 2018. The Shadow Brokers Group had already made the NSA tools public in April 2017. But since then, several groups of cybercriminals have integrated them into their hacking toolsets with devastating effectiveness. Symantec believes Buckeye never had access to all NSA exploit tools – before the Shadow Brokers released them.
That another spy/hacker group gained access to the NSA's hacking tools by simply tracking a live attack by the NSA is another example of why creating backdoors for the supposedly "good" (assuming you're willing to include the NSA as such) will never work in the real world, as all categories of hackers can eventually get the same backdoors (or hackers) in the real world.
Thanks to the hubris of the NSA, microsoft sees it, some of the world's most dangerous cybercrime groups now have access to high-quality and sophisticated hacking tools that will cause significant damage to millions of people for many years to come. Can. Thank you very much for that.
Source: Symantec, Tom's Hardware