Posted on May 8, 2019 at 2:41 PM
New research by Symantec, the company responsible for Norton Anti-Virus, has released information about a Chinese hacking group that used a unique version of the DoublePulsar backdoor that the NSA was responsible for.
The group has been tracked by various information security services vendors for many years was made infamous when they were charged by US Federal authorities in 2017. The names the group operated under have been varied with BuckEye, APT3, Gothic Panda and UPS among the more well known of their aliases.
Boy uses a front for the Chinese
The US authorities alleged that the three hackers operated an infosec company by the name of Boyusec and further allege that the company is a front for the Chinese Ministry of State Security. It is widely believed that this company was responsible for hacking various Western companies with some prominent names mentioned such as Moody’s Analytics and Siemens.
The trio was known as an APT (advanced persistent threat) and did not rely too heavily on the Double Pulsar backdoor, instead of focusing on their own custom-tools and finding zero-day exploits on their own. However, in a report that Symantec released a couple of days ago, there is definitive proof that the trio had used DoublePulsar long before the backdoor became widely available due to the Shadow Brokers leak.
Symantec does say that the group has not used any other NSA tools such as the FuzzBunch framework, which is the go-to tool for NSA agents who wish to deploy DoublePulsaron target machines. The group used its own software, going by the name of Bemstour, instead.
The usage of DoublePulsar is ironic says Symantec due to it being noticeably different from the base version that was leaked in April of 2017. The only way it could be different, says Symantec, is if the Chinese had not gotten it from the source. Which would mean that Double Pulsar was found on Chinese systems and then reverse engineered from that point on. It contains code for newer versions of Windows and additional layers of obfuscation which means that the Chinese were not happy with the original malware and instead decided to improve upon it.
NSA malware helped with Chinese information theft
The malware was used to deliver a payload to gain persistent access to a variety of organizations around the world. The infections happened in the Philippines, Vietnam, Hong-Kong, Belgium, and Luxembourg. The main motive behind the attacks was information theft and as such telecoms companies and universities were targetted. Specific SciTech research labs were also under attack from the Chinese.
The Chinese have played fast and loose with IP law before, and this type of industrial espionage is nothing new. What is new is that they used a tool that was designed by the NSA, which has severely hurt US relations with the rest of the world.
It was a shock when the US was found to be spying on allies, but it is now an even greater problem since malicious actors have used the exactly same malware to hurt those same allies (and the US to boot). This type of irony is not lost on anyone in the information security industry and many think that this is a wake-up call to the US government and regulators at large. Insisting on putting backdoors into the software can have much larger consequences than initially planned. There will always be someone who finds out about it and those who do will not always do the “right thing” like the Shadow Brokers leak.
Transparency is extremely important in software, as is peer review, which is why open-source software is so much safer, though even then some things are missed by the community at large. There are so many hackers out there who live by bug bounties, but many in the industry are positive that they only represent a fraction of the actors on the world stage when it comes to penetration testing.