On February 22, Check Point Research, an American-Israeli cybersecurity company, published an exhaustive report discussing certain cyber tools. The report stated that cyber tools that the Equation Group, a group believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA), had fallen into the hands of a Chinese hacker group, which then repurposed them in order to attack U.S. targets.
In 2014, the Chinese group APT31 (APT is abbreviation of Advanced Persistent Threat), also known as Zirconium or Judgment Panda, made a replica of an exploit originally attributed to the Equation Group, known as EpMe. An exploit is a hack that leverages a security hole or flaw, as opposed to a hack that requires installing malware. The Chinese hackers then used that tool, which Check Point has named “Jian” or “double-edged sword,” from 2015 until March 2017, when Microsoft patched the vulnerability it attacked.
Check Point pointed out, “Both exploit versions for APT31’s “Jian” or Equation Group’s “EpMe” are intended for … elevating the privileges of the attacker in the local Windows environment.” “The tool is used after an attacker gains initial access to a target computer — say, via zero-click vulnerability, a phishing email, or any other option — to give the attacker the highest available privileges, so they could “roam free” and do whatever they chose on the already infected computer.”
Check Point believed that the Equation Group exploit samples could have been acquired by the Chinese APT in one of these ways:
Captured during an Equation Group network operation on a Chinese target.
Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT.
Captured by the Chinese APT during an attack on the Equation Group infrastructure.
The research report also mentioned that APT31 used “Jian” to conduct network attacks from 2015 to March 2017 until Microsoft patched the vulnerabilities.
APT31, a state-sponsored hacking collective, is alleged to conduct reconnaissance operations at the behest of the Chinese Government, specializing in intellectual property theft and credential harvesting, with recent campaigns targeting U.S. election staff with spear-phishing emails containing links that would download a Python-based implant hosted on GitHub, allowing an attacker to upload and download files as well as execute arbitrary commands.
Sources: Check Point Research, February 22, 2021
WIRED, February 22, 2021