Chinese Spies Stole NSA Cyberweapons Long Before Shadow Brokers Leak

Chinese APT

Forensic analysis shows a Chinese APT using Equation Group hacking tools at least a year before Shadow Brokers dumped its cache in April 2017.

Hacking tools allegedly developed by the National Security Agency (NSA) were being used in the wild by at least one APT long before the Shadow Brokers released the now-infamous trove of U.S. cyberweapons, new analysis suggests.

According to researchers at Symantec, an attack group affiliated with the Chinese government known as Buckeye (a.k.a. APT3 or Gothic Panda) was able to commandeer a Windows zero-day and other tools from the NSA-linked Equation Group, which it used in attacks starting in March 2016. Those attacks continued through to Buckeye’s apparent disappearance in 2017 (three of its members were indicted in the U.S.) and beyond, with evidence of the tools being used well into 2018. Researchers said they weren’t sure if Buckeye passed the tools off to another outfit or if it continued operating longer than they originally thought.

In any event, the findings mean that Buckeye was carrying out espionage activity using allegedly U.S.-developed tools at least a year prior to the April 2017 Shadow Brokers leak.