Symantec: Chinese Hackers May Have Helped Shadow Brokers With Hacking Tools

The exploits that the Shadow Brokers put online in 2016 and 2017, which they claimed came from the NSA, may have been stolen from the NSA by Chinese state hackers. The theft may have taken place during an NSA attack on China.

Symantec states in an investigative report that the tools released by the Shadow Brokers in 2016 and 2017 had already been used at least a year before by the so-called Chinese Buckeye group, also known as APT3 and Gothic Panda, which conduct hacks for the Chinese Ministry of Foreign Affairs. State security. He is said to have obtained it during an attack by the Equation Group, which allegedly has ties to the NSA, on Buckeye. The tools were eventually used to carry out the extensive WannaCry ransomware attacks on, among others, British healthcare institutions. North Korea was probably behind that.

This would mean that the alleged chain runs from the US NSA, to state hackers in China, to the Shadow Brokers, to North Korea, culminating in an attack on the country that originally developed the exploits and its allies.

Buckeye is said to have the tools up and running at least a year before the Shadow Brokers leak. That group would have resigned in the course of 2017 and three alleged members would have been identified by the American judiciary. However, exploit tools belonging to Buckeye: Bemstour and a variant of DoublePulsar were still used throughout 2017 and 2018.

Symantec bases its suspicion that Buckeye provided the tools and exploits to the Shadow Brokers on the fact that Buckeye itself used variants of these in the months leading up to the Shadow Brokers dump. However, the fact that these are variants leaves open the possibility that the Shadow Brokers obtained the tools in a different way.