Symantec Threat Intelligence: Buckeye attack group used Equation Group tools pre-Shadow Brokers leak
Today, Symantec released new research revealing the Buckeye (aka APT3 and Gothic Panda) attack group was using Equation Group tools to gain persistent access to target organisations at least a year prior to the Shadow Brokers leak. The variants of the Equation Group tools used by Buckeye appear to be newer and modified compared to those released by
Shadow Brokers.
This marks the first time Symantec has seen a case—long referenced in theory—of an attack group recovering otherwise
unknown exploits and tools used against them to subsequently attack others.
Of note, Buckeye’s use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day
vulnerability that Symantec discovered (which has since been patched by Microsoft).
While Buckeye appeared to cease operations in mid-2017 and three alleged members of the group were indicted by the U.S. Department of Justice in November 2017, the Equation Group tools associated with Buckeye specifically continued to be used in attacks until late 2018.
Symantec’s full research can be found here.