Hacker News new | past | comments | ask | show | jobs | submit login
Jian – How the Chinese APT31 stole and used an unknown Equation Group 0-Day (checkpoint.com)
32 points by Megabeets 12 days ago | hide | past | favorite | 6 comments

Can someone who understands this summarise it for those less in-the-know?


APT31 - a name given to an attack group that is attributed to China.

Equation Group - a name given to an APT group which is believed to be the Tailored Access Operations (TAO) unit of the NSA. The unit is now named "Computer Network Operations" (CNO).

Jian - a name that was given to a 0-Day exploit that was attributed to the Chinese-affiliated attack group.

0-Day - a vulnerability that is unknown to the public or to the relevant vendor (e.g Microsoft).

0-Day Exploit - an exploit that is directed at a zero-day


In this story, we claim that the Chinese APT acquired the Equation Group exploit somewhere around 2014, cloned it into their own version (Jian), and used it until was finally caught in 2017.

Interestingly, the 0-Day was reported to Microsoft by Lockheed Martin's Incident Response team. This might suggest that the Chinese APT might have used it to attack American targets.

I tried to summarize the highlights in a less technical lingo in a Twitter thread: https://twitter.com/megabeets_/status/1363807746815066113

In short: Chinese hacker(APT31) stole NSA hack tool(EpMe), repurposed it(Jian) to targeted US company(Microsoft).

Was it Microsoft, though?

It was not Microsoft. The exploit was reported to Microsoft by Lockheed Martin's Incident Response team

I found this to match your request:

Together with additional artifacts that match Equation Group artifacts and habits shared between all exploits even as far back as 2008, we can safely conclude the following:

- Equation Group’s EpMe exploit, existing since at least 2013, is the original exploit for the vulnerability later labeled CVE-2017-0005.

- Somewhere around 2014, APT31 managed to capture both the 32-bit and 64-bit samples of the EpMe Equation Group exploit.

- They replicated them to construct “Jian”, and used this new version of the exploit alongside their unique multi-staged packer.

- Jian was caught by Lockheed Martin’s IRT and reported to Microsoft, which patched the vulnerability in March 2017 and labeled it CVE-2017-0005.


CheckPoint (the firewall company) analysed the #R@$$ out of exploits used by the NSA (Equation Group) and the Chinese equivalent (APT31) und found that the later captured & reused the exploit of the first, making a point that "There is a theory which states that if anyone will ever manage to steal and use nation-grade cyber tools, any network would become untrusted, and the world would become a very dangerous place to live in."

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact