Security News > 2021 > February > Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online
On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations unit of the U.S. National Security Agency.
"The caught-in-the-wild exploit of CVE-2017-0005, a zero-day attributed by Microsoft to the Chinese APT31, is in fact a replica of an Equation Group exploit codenamed 'EpMe,'" Check Point researchers Eyal Itkin and Itay Cohen said.
DanderSpritz was among the several exploit tools leaked by the Shadow Breakers on April 14, 2017, under a dispatch titled "Lost in Translation." The leak is best known for publishing the EternalBlue exploit that would later power the WannaCry and NotPetya ransomware infections that caused tens of billions of dollars' worth of damage in over 65 countries.
Check Point's findings are not the first time Chinese hackers have purportedly hijacked NSA's arsenal of exploits.
In May 2019, Broadcom's Symantec reported that a Chinese hacking group called APT3 also had repurposed an NSA-linked backdoor to infiltrate telecom, media, and manufacturing sectors.
"The mere fact that an entire exploitation module, containing four different exploits, was just lying around unnoticed for four years on GitHub, teaches us about the enormity of the leak around Equation Group tools."
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/cBTKbRgGhns/chinese-hackers-had-access-to-us.html
Related news
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware (source)
- Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign (source)
- Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain (source)
- US says Chinese hackers breached multiple telecom providers (source)
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Sophos reveals 5-year battle with Chinese hackers attacking network devices (source)
- Sophos Versus the Chinese Hackers (source)
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions (source)
- Nokia says hackers leaked third-party app source code (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-03-17 | CVE-2017-0005 | Unspecified vulnerability in Microsoft products The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047. | 7.8 |