Security News > 2021 > February > Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak
A Chinese threat actor known as APT31 likely acquired and cloned one of the Equation Group's exploits three years before the targeted vulnerability was publicly exposed as part of Shadow Brokers' "Lost in Translation" leak, cybersecurity firm Check Point says in a new report.
Attributed to APT31, a Chinese hacking group also tracked as Zirconium, the exploit for this vulnerability is the clone of an Equation Group exploit code-named "EpMe," Check Point says.
Exploitation tools that the Equation Group had been using for years were made public in early 2017 by a mysterious group calling themselves Shadow Brokers.
Called Jian and attributed to APT31, the exploit for this vulnerability is now believed to be the clone of an Equation Group exploit that targeted the same security hole.
Further analysis has revealed that the exploits contain artefacts specific to the Equation Group tools, suggesting that EpMe was the original exploit for CVE-2017-0005, Check Point says.
"To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called 'EpMe'. This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets," Check Point notes.
News URL
Related news
- Chinese hackers use Visual Studio Code tunnels for remote access (source)
- U.S. Charges Chinese Hacker for Exploiting Zero-Day in 81,000 Sophos Firewalls (source)
- Hackers Exploit Webview2 to Deploy CoinLurker Malware and Evade Security Detection (source)
- Hackers exploit DoS flaw to disable Palo Alto Networks firewalls (source)
- White House links ninth telecom breach to Chinese hackers (source)
- Hackers exploit Four-Faith router flaw to open reverse shells (source)
- Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents (source)
- Chinese hackers targeted sanctions office in Treasury attack (source)
- US sanctions Chinese company linked to Flax Typhoon hackers (source)
- Chinese hackers also breached Charter and Windstream networks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-03-17 | CVE-2017-0005 | Unspecified vulnerability in Microsoft products The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047. | 7.8 |