The theory is that the Buckey group managed to seize the exploits while the NSA was trying to hack targets in China.
In research which was published on Tuesday and leaked to The New York Times prior to publication, Symantec said Buckeye, which appeared to be a Chinese-affiliated group, had been using tools from the NSA — which Symantec referred to as the Equation Group, using nomenclature that has been employed by Kaspersky Lab — to gain persistent access to targets at least a year before the Shadow Brokers leaked a trove of exploits on the Web.
Symantec researchers said the variants of the NSA tools used by Buckeye appeared to differ from those released by the Brokers, indicating that they may have originated from a different source.
EternalBlue was used to craft the WannaCry ransomware which wreaked havoc on companies and organisations in May 2017.
Symantec said Buckeye's use of NSA tools also involved the exploit of a previously unknown Windows zero-day vulnerability which it reported to Microsoft in September 2018 and which was patched in March 2019.
"While Buckeye appeared to cease operations in mid-2017, the Equation Group tools it used continued to be used in attacks until late 2018. It is unknown who continued to use the tools. They may have been passed to another group or Buckeye may have continued operating longer than supposed," the Symantec post said.
Buckeye, which Symantec said was also known as APT3 and Gothic Panda, used a variant of DoublePulsar known as Backdoor.Doublepulsar, from March 2016 onwards, Symantec said. This backdoor was released by the Brokers in 2017.
"There are multiple possibilities as to how Buckeye obtained... [NSA] tools before the Shadow Brokers leak," Symantec wrote.
"Based on the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack.
"Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye.
"Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye's apparent disappearance. It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group.
"However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group."
Graphic: courtesy Symantec