APT31 - a name given to an attack group that is attributed to China.
Equation Group - a name given to an APT group which is believed to be the Tailored Access Operations (TAO) unit of the NSA. The unit is now named "Computer Network Operations" (CNO).
Jian - a name that was given to a 0-Day exploit that was attributed to the Chinese-affiliated attack group.
0-Day - a vulnerability that is unknown to the public or to the relevant vendor (e.g Microsoft).
0-Day Exploit - an exploit that is directed at a zero-day
In this story, we claim that the Chinese APT acquired the Equation Group exploit somewhere around 2014, cloned it into their own version (Jian), and used it until was finally caught in 2017.
Interestingly, the 0-Day was reported to Microsoft by Lockheed Martin's Incident Response team. This might suggest that the Chinese APT might have used it to attack American targets.
I tried to summarize the highlights in a less technical lingo in a Twitter thread: https://twitter.com/megabeets_/status/1363807746815066113
Together with additional artifacts that match Equation Group artifacts and habits shared between all exploits even as far back as 2008, we can safely conclude the following:
- Equation Group’s EpMe exploit, existing since at least 2013, is the original exploit for the vulnerability later labeled CVE-2017-0005.
- Somewhere around 2014, APT31 managed to capture both the 32-bit and 64-bit samples of the EpMe Equation Group exploit.
- They replicated them to construct “Jian”, and used this new version of the exploit alongside their unique multi-staged packer.
- Jian was caught by Lockheed Martin’s IRT and reported to Microsoft, which patched the vulnerability in March 2017 and labeled it CVE-2017-0005.
CheckPoint (the firewall company) analysed the #R@$$ out of exploits used by the NSA (Equation Group) and the Chinese equivalent (APT31) und found that the later captured & reused the exploit of the first, making a point that "There is a theory which states that if anyone will ever manage to steal and use nation-grade cyber tools, any network would become untrusted, and the world would become a very dangerous place to live in."