Security News > 2021 > February > Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak
A Chinese threat actor known as APT31 likely acquired and cloned one of the Equation Group's exploits three years before the targeted vulnerability was publicly exposed as part of Shadow Brokers' "Lost in Translation" leak, cybersecurity firm Check Point says in a new report.
Attributed to APT31, a Chinese hacking group also tracked as Zirconium, the exploit for this vulnerability is the clone of an Equation Group exploit code-named "EpMe," Check Point says.
Exploitation tools that the Equation Group had been using for years were made public in early 2017 by a mysterious group calling themselves Shadow Brokers.
Called Jian and attributed to APT31, the exploit for this vulnerability is now believed to be the clone of an Equation Group exploit that targeted the same security hole.
Further analysis has revealed that the exploits contain artefacts specific to the Equation Group tools, suggesting that EpMe was the original exploit for CVE-2017-0005, Check Point says.
"To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called 'EpMe'. This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets," Check Point notes.
News URL
Related news
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials (source)
- Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain (source)
- Hackers exploit Roundcube webmail flaw to steal email, credentials (source)
- Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- US says Chinese hackers breached multiple telecom providers (source)
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-03-17 | CVE-2017-0005 | Unspecified vulnerability in Microsoft products The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047. | 7.8 |