New research by Symantec, the company responsible for Norton Anti-Virus, has released information about a Chinese hacking group that used a unique version of the DoublePulsar backdoor that the NSA was responsible for.
The group has been tracked by various information security
services vendors for many years was made infamous when they were charged by US
Federal authorities in 2017. The names the group operated under have been
varied with BuckEye, APT3, Gothic Panda and UPS among the more well known of
their aliases.
The US authorities alleged that the three hackers operated
an infosec company by the name of Boyusec and further allege that the company
is a front for the Chinese Ministry of State Security. It is widely believed
that this company was responsible for hacking various Western companies with
some prominent names mentioned such as Moody’s Analytics and Siemens.
The trio was known as an APT (advanced persistent threat) and did not rely too heavily on the Double Pulsar backdoor, instead of focusing on their own custom-tools and finding zero-day exploits on their own. However, in a report that Symantec released a couple of days ago, there is definitive proof that the trio had used DoublePulsar long before the backdoor became widely available due to the Shadow Brokers leak.
Symantec does say that the group has not used any other NSA tools such as the FuzzBunch framework, which is the go-to tool for NSA agents who wish to deploy DoublePulsaron target machines. The group used its own software, going by the name of Bemstour, instead.
The usage of DoublePulsar is ironic says Symantec due to it
being noticeably different from the base version that was leaked in April of
2017. The only way it could be different, says Symantec, is if the Chinese had
not gotten it from the source. Which would mean that Double Pulsar was found on
Chinese systems and then reverse engineered from that point on. It contains
code for newer versions of Windows and additional layers of obfuscation which
means that the Chinese were not happy with the original malware and instead
decided to improve upon it.
The malware was used to deliver a payload to gain persistent
access to a variety of organizations around the world. The infections happened
in the Philippines, Vietnam, Hong-Kong, Belgium, and Luxembourg. The main
motive behind the attacks was information theft and as such telecoms companies
and universities were targetted. Specific SciTech research labs were also under
attack from the Chinese.
The Chinese have played fast and loose with IP law before,
and this type of industrial espionage is nothing new. What is new is that they
used a tool that was designed by the NSA, which has severely hurt US relations
with the rest of the world.
It was a shock when the US was found to be spying on allies,
but it is now an even greater problem since malicious actors have used the
exactly same malware to hurt those same allies (and the US to boot). This type
of irony is not lost on anyone in the information security industry and many
think that this is a wake-up call to the US government and regulators at large.
Insisting on putting backdoors into the software can have much larger
consequences than initially planned. There will always be someone who finds out
about it and those who do will not always do the “right thing” like
the Shadow Brokers leak.
Transparency is extremely important in software, as is peer review, which is why open-source software is so much safer, though even then some things are missed by the community at large. There are so many hackers out there who live by bug bounties, but many in the industry are positive that they only represent a fraction of the actors on the world stage when it comes to penetration testing .
free credit card dumps with pin 2021 buy dumps