Security Market Segment LS
Tuesday, 07 May 2019 11:43

Symantec claims group was using NSA exploits before Brokers' leak

Symantec claims group was using NSA exploits before Brokers' leak Pixabay

A group, which has been given the name Buckeye, was in possession of, and utilising, NSA exploits well before they were leaked on the Web by the Shadow Brokers, the American security firm Symantec claims.

The theory is that the Buckey group managed to seize the exploits while the NSA was trying to hack targets in China

In research which was published on Tuesday and leaked to The New York Times prior to publication, Symantec said Buckeye, which appeared to be a Chinese-affiliated group, had been using tools from the NSA — which Symantec referred to as the Equation Group using nomenclature that has been employed by Kaspersky Lab — to gain persistent access to targets at least a year before the Shadow Brokers leaked a trove of exploits on the Web.

Symantec researchers said the variants of the NSA tools used by Buckeye appeared to differ from those released by the Brokers, indicating that they may have originated from a different source.

To date, there has been no indication as to the identity of the Brokers who first offered exploits for sale in 2016, and later, finding no takers, dumped said exploits which included DoublePulsar, EternalBlue, EternalRomance and EternalSynergy.

EternalBlue was used to craft the WannaCry ransomware which wreaked havoc on companies and organisations in May 2017.

Symantec said Buckeye's use of NSA tools also involved the exploit of a previously unknown Windows zero-day vulnerability which it reported to Microsoft in September 2018 and which was patched in March 2019.

Buckeye Timeline 970x1164

"While Buckeye appeared to cease operations in mid-2017, the Equation Group tools it used continued to be used in attacks until late 2018. It is unknown who continued to use the tools. They may have been passed to another group or Buckeye may have continued operating longer than supposed," the Symantec post said.

Buckeye, which Symantec said was also known as APT3 and Gothic Panda, used a variant of DoublePulsar known as Backdoor.Doublepulsar, from March 2016 onwards, Symantec said. This backdoor was released by the Brokers in 2017.

"There are multiple possibilities as to how Buckeye obtained... [NSA] tools before the Shadow Brokers leak," Symantec wrote.

"Based on the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack.

"Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye.

"Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance. It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group.

"However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group."

Graphic: courtesy Symantec


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments