Chinese Shadow Brokers Hacking Group Copied Windows Zero-Day Exploit Belonging to NSA’s Equation Group

Chinese Shadow Brokers Hacking Group Copied Windows Zero-Day Exploit Belonging to NSA’s Equation Group

Chinese threat actors "cloned" and used a Windows zero-day exploit stolen from the NSA's Equation Group for years before the privilege escalation flaw was patched, researchers say. 

On Monday, Check Point Research (CPR) said the tool was a "clone" of software developed by the US National Security Agency (NSA)'s Equation Group, identified by FireEye in 2015 and described as "one of the most sophisticated cyberattack groups in the world."


Thought to be active since at least 2001, Equation Group has since been linked to the US intelligence agency's Tailored Access Operations (TAO) unit. 


The Shadow Brokers hacking group released tools and files belonging to Equation Group in 2017, some of which were used to exploit previously-unknown bugs in popular systems including Microsoft Windows -- forcing vendors to issue a flurry of emergency patches and fixes to render the exploit tools useless. 


In the same year, Microsoft released a patch for CVE-2017-0005, a zero-day vulnerability in Windows XP to Windows 8 operating systems that could be used for privilege escalation and full system compromise.


Originally, it was thought that a tool created to exploit CVE-2017-0005 was the work of a Chinese advanced persistent threat group (APT) dubbed APT31, also known as Zirconium.


However, Check Point now says that the tool, called Jian, was actually a clone of software used by Equation Group and was being actively utilized between 2014 and 2017 -- years before the ..