Go to listing page

Chinese Group APT31 Used NSA Exploit Three Years Before Shadow Brokers Leak

Chinese Group APT31 Used NSA Exploit Three Years Before Shadow Brokers Leak
APT31, the China-based threat group, has been leveraging NSA’s secret tools before Shadow Brokers leaked them in April 2017. According to a recent report from Check Point, APT31 has been using a zero-day exploit for several years, which is developed by leveraging the functionality of the Equation Group’s EpMe exploit.

What has been discovered?

The EpMe exploit was originally created by Equation Group (NSA's Tailored Access Operations unit) in 2013. APT31 (aka Zirconium) built its own exploit dubbed Jian, by replicating the functionality of the EpMe exploit.
  • APT31 hackers apparently captured 32-bit and 64-bit samples of the Equation Group's EpMe exploit in 2014 to create the Jian exploit.
  • This exploit, alongside other hacking tools, takes advantage of the Windows zero-day bug tracked as CVE-2017-2005
  • The abuse of this vulnerability by Jian was first discovered by Lockheed Martin’s IRT when an exploit sample was spotted running in the wild. Later, it was shared with Microsoft.

A brief about the exploit

  • EpMe is based on the bug CVE-2017-2005, a local privilege escalation bug that affects devices running Windows XP up to Windows 8.
  • This vulnerability allows user privileges escalation after gaining access to targeted devices. 
  • Microsoft patched this security bug in March 2017.

How did APT31 get access to the EpMe exploit?

According to Check Point, the attackers could have obtained access to the exploit sample in one of the following ways:
  • They could have captured it when Equation Group ran a network operation on a Chinese target. 
  • It could happen when Equation Group was working on an operation on a third-party network that was already being monitored by the Chinese APT. 
  • They could have launched an attack on Equation Group infrastructure and then captured the samples.


APT31 is already known for targeting several high-profile victims, however, attack leveraging highly confidential tools for espionage activities suggests the shrewd nature of this APT group. Therefore, It is important for security agencies to keep a strict eye on every movement made by this group to avoid any unpleasant surprises.

Cyware Publisher