In 2017, a group of hackers identified as Shadow Brokers leaked a set of the most sophisticated hacking tools developed by the U.S. National Security Agency (NSA); cybersecurity specialists point out that these tools were later used in NotPetya and WannaCry attack campaigns, which are two variants of highly aggressive malware that crippled operations in hundreds of companies around the world.
Recently, cybersecurity experts reported that two
of the hacking tools most leaked by Shadow Brokers had already been used in
some cyberattacks occurred in March 2016, a year before Shadow Brokers leaked
them.
According to the reports, Buckeye, another
group of hackers active at least since 2010, managed to access a variant of the
“DoublePulsar” backdoor, developed by the NSA;
the group also got an exploit to install the backdoor remotely. As expected,
this incident has spawned a new wave of criticism against the NSA.
Cybersecurity specialists consider that this
kind of incidents have to force the NSA to rethink its software management
policy, as it is a common practice between NSA officials and developers to
privately store multiple exploits and other confidential tools.
It is still unknown how this group of hackers
got access to these tools, although experts believe that it is possible that
Buckeye resorted to the use of reverse engineering in one of the attacks that
the NSA practiced on its own infrastructure.
Security features in newer versions of Windows
force threat actors to exploit two different vulnerabilities in order to
install the DoublePulsar backdoor. With the NSA tools, both the agency and the
hackers began exploiting the vulnerability CVE-2017-0143 to corrupt Windows
memory and then exploit another flaw to disclose the design of the attacked
system’s memory.
According to the experts from the International
Institute of Cyber Security (IICS), first Buckeye’s attack incident using the
NSA tools was registered on March 31, 2016 against a target in Hong Kong. After
installing the backdoor, a secondary load was installed to ensure persistence
in the system no matter what a restart occurred and DoublePulsar stopped
running.
