Chinese state hackers cloned and started using an NSA zero-day exploit almost three years before the Shadow Brokers hacker group publicly leaked it in April 2017. EpMe is the original exploit created by Equation Group around 2013 for a Windows zero-day bug tracked as CVE-2017-2005. The vulnerability was used for escalating Windows user privileges after gaining access to targeted devices since it’s a local privilege escalation (LPE) bug affecting devices running Windows XP up to Windows 8. Microsoft patched this security bug in March 2017 and attributed active exploitation to the Chinese-backed APT31 hacking group. Stolen, cloned, and weaponized However, APT 31 (also tracked as Zirconium) built their exploit, dubbed Jian, by replicating the functionality of the EpMe exploit stolen from the Equation Group (NSA’s Tailored Access Operations (TAO) unit) as Check Point researchers revealed in a report published today. “To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called ‘EpMe’,” Check Point said. “This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets.” This was made possible after the Chinese state hackers captured 32-bit and 64-bit samples of the Equation Group’s EpMe exploit. Once replicated, the zero-day exploit was used by APT31 alongside other hacking tools in their arsenal, including the group’s multi-staged packer. Microsoft patched the vulnerability Jian was designed to abuse only after Lockheed Martin’s IRT found an exploit sample in the wild and shared it with Microsoft.

