Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak – Ars Technica

Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak – Ars Technica


Already criticized for not protecting its exploit arsenal, the NSA has a new lapse.

The National Security Agency headquarters in Fort Meade, Maryland.
Enlarge /

The National Security Agency headquarters in Fort Meade, Maryland.

On of the most significant events in computer security came in April 2017, when a still-unidentified group calling itself the Shadow Brokers published a trove of the National Security Agency’s most coveted hacking tools. The leak and the subsequent repurposing of the exploits in the WannaCry and NotPetya worms that shut down computers worldwide made the theft arguably one of the NSA’s biggest operational mistakes ever.

On Monday, security firm Symantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016, fourteen months prior to the Shadow Brokers leak. An advanced persistent threat hacking group that Symantec has been tracking since 2010 somehow got access to a variant of the NSA-developed DoublePulsar backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers.

Killing NOBUS

The revelation that the powerful NSA tools were being repurposed much earlier than previously thought is sure to touch off a new round of criticism about the agency’s inability to secure its arsenal.

“This definitely should bring additional criticism of the ability to protect their tools,” Jake Williams, a former NSA hacker who is now a cofounder of Rendition Infosec, told Ars. “If they didn’t lose the tools from a direct compromise, then the exploits were intercepted in transit or they were independently discovered. All of this completely kills the NOBUS argument.”

“NOBUS” is shorthand for nobody but us, a mantra NSA officials use to justify their practice of privately stockpiling certain exploits, rather than reporting the underlying vulnerabilities so they can be fixed.

Symantec researchers said they didn’t know how the hacking group—known alternately as Buckeye, APT3, Gothic Panda, UPS Team, and TG-0110—obtained the tools. The researchers said the limited number of tools used suggested the hackers’ access wasn’t as broad as the access enjoyed by the Shadow Brokers. The researchers speculated that the hackers may have reverse engineered technical “artefacts” they captured from attacks the NSA carried out on it own targets. Other less likely possibilities, Symantec said, were Buckeye stealing the tools from an unsecured or poorly secured NSA server or a rogue NSA group member or associate leaking the tools to Buckeye.

The attack used to install Buckeye’s DoublePulsar variant exploited a Windows vulnerability indexed as CVE-2017-0143. It was one of several Windows flaws exploited in Shadow Broker-leaked NSA tools with names that included Eternal Romance and Eternal Synergy. Microsoft patched the vulnerability in March 2017 after being tipped off by NSA officials that the exploits were likely to be published soon.

Symantec’s report means that by the time the NSA reported the vulnerabilities to Microsoft, they had already been exploited in the wild for months.

“The fact that another group (besides NSA) were able to successfully exploit the Eternal series of vulnerabilities successfully is very impressive,” Williams said. “It speaks to their technical abilities and resourcing. Even if they stole the vulnerabilities while they were being used on the network, that’s not enough to recreate reliable exploitation without tons of extra research.”

Tale of two exploits

Security protections built into modern versions of Windows required two separate vulnerabilities be exploited to successfully install DoublePulsar. Both the NSA and Buckeye exploited CVE-2017-0143 to corrupt Windows memory. From there, attackers needed to exploit a separate vulnerability that would divulge the memory layout of the targeted computer. Buckeye relied on a different information-disclosure vulnerability than the NSA’s Eternal attacks used. The vulnerability used by Buckeye, CVE-2019-0703, received a patch in March, six months after Symantec privately reported it to Microsoft.

Symantec said the earliest known instance of Buckeye using the NSA variants came on March 31, 2016 in an attack on a target in Hong Kong. It came in a custom-designed trojan dubbed Bemstour that installed DoublePulsar, which runs only in memory. From there, DoublePulsar installed a secondary payload that gave the attackers persistent access to the computer, even if it was rebooted and DoublePulsar was no longer running. An hour after the Hong Kong attack, Buckeye used Bemstour against an educational institution in Belgium.

Six months later—sometime in September, 2016—Buckeye unleashed a significantly improved variant of Bemstour on an educational institution in Hong Kong. One improvement: unlike the original Bemstour, which ran only on 32-bit hardware, the updated version ran on 64-bit systems as well. Another advance in the updated Bestour was its ability to execute arbitrary shell commands on the infected computer. This allowed the malware to deliver custom payloads on 64-bit infected computers. The attackers typically used the capability to create new user accounts.

Bemstour was used again in June 2017 against a target in Luxembourg. From June to September of that year Bemstour infected targets in the Philippines and Vietnam. Development of the trojan continued into this year, with the most recent sample having a compilation date of March 23, 11 days after Microsoft patched the CVE-2019-0703 zeroday.

Symantec researchers were surprised to see Bemstour being actively used for so long. Previously, the researchers believed that APT3 had disbanded following the

November 2017 indictment of three Chinese nationals

on hacking charges. While the indictment didn’t identify the group the defendants allegedly worked for, some of the tools prosecutors identified implicated APT3.

Monday’s report said Bemstour’s use following the apparent disappearance of Buckeye remained a mystery.

“It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group,” company researchers wrote. “However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group.”


  1. … [Trackback]

    […] Read More here to that Topic: […]

  2. Nice post. I was checking constantly this blog and I am impressed! Very useful information specially the last part 🙂 I care for such information a lot. I was seeking this particular information for a very long time. Thank you and good luck.

  3. Great beat ! I wish to apprentice while you amend your site, how could i subscribe for a blog site? The account aided me a acceptable deal. I had been a little bit acquainted of this your broadcast provided bright clear idea

  4. An fascinating dialogue is price comment. I think that you should write more on this topic, it might not be a taboo topic however generally individuals are not sufficient to speak on such topics. To the next. Cheers

  5. … [Trackback]

    […] Find More Info here to that Topic: […]

  6. I’m not sure exactly why but this blog is loading extremely slow for me. Is anyone else having this issue or is it a problem on my end? I’ll check back later and see if the problem still exists.

  7. I was wondering if you ever considered changing the layout of your blog? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having 1 or two pictures. Maybe you could space it out better?

  8. I loved as much as you’ll receive carried out right here. The sketch is attractive, your authored subject matter stylish. nonetheless, you command get bought an edginess over that you wish be delivering the following. unwell unquestionably come further formerly again since exactly the same nearly a lot often inside case you shield this hike.

  9. Hiya, I’m really glad I have found this info. Today bloggers publish just about gossips and internet and this is actually frustrating. A good site with exciting content, this is what I need. Thank you for keeping this web site, I’ll be visiting it. Do you do newsletters? Can’t find it.

  10. Wow that was strange. I just wrote an really long comment but after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all that over again. Regardless, just wanted to say excellent blog!

  11. Hey I am so excited I found your blog, I really found you by mistake, while I was browsing on Yahoo for something else, Anyways I am here now and would just like to say cheers for a incredible post and a all round entertaining blog (I also love the theme/design), I don’t have time to go through it all at the moment but I have book-marked it and also included your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the superb job.

  12. I love your blog.. very nice colors & theme. Did you design this website yourself or did you hire someone to do it for you? Plz respond as I’m looking to construct my own blog and would like to know where u got this from. cheers

  13. I have been browsing on-line greater than three hours these days, but I by no means found any fascinating article like yours. It is lovely value sufficient for me. In my opinion, if all webmasters and bloggers made good content as you did, the internet will be a lot more useful than ever before.

  14. I’ve recently started a web site, the info you offer on this web site has helped me greatly. Thank you for all of your time & work. “The man who fights for his fellow-man is a better man than the one who fights for himself.” by Clarence Darrow.


Please enter your comment!
Please enter your name here