History of attacks

The Buckeye attack group had been active since at least 2009, when it began mounting a string of espionage attacks, mainly against organizations based in the U.S.

The group has a record of exploiting zero-day vulnerabilities. These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014. Although other zero-day attacks have been reported, they have not been confirmed by Symantec. All zero-day exploits known, or suspected, to have been used by this group are for vulnerabilities in Internet Explorer and Flash.

Timeline of attacks

Beginning in August 2016, a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group. It initially released samples of the information it had, offering the full trove to the highest bidder. Over the coming months, it progressively released more tools, until April 2017, when it released a final, large cache of tools, including the DoublePulsar backdoor, the FuzzBunch framework, and the EternalBlue, EternalSynergy, and EternalRomance exploit tools.

However, Buckeye had already been using some of these leaked tools at least a year beforehand. The earliest known use of Equation Group tools by Buckeye is March 31, 2016, during an attack on a target in Hong Kong. During this attack, the Bemstour exploit tool was delivered to victims via known Buckeye malware (Backdoor.Pirpi). One hour later, Bemstour was used against an educational institution in Belgium.

Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. It is worth noting that earlier versions did not include any means of uninstalling the DoublePulsar implant. This functionality was added in later versions.

A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016, when it was used in an attack against an educational institution in Hong Kong. While the original variant was only capable of exploiting 32-bit systems, the new variant could exploit both 32-bit and 64-bit targets, adding support for newer Windows versions. Another new feature of the payload in the second variant allowed the attacker to execute arbitrary shell commands on the infected computer. This custom payload is also designed to copy arbitrary files and execute arbitrary processes on the targeted computer. When used against 32-bit targets, Bemstour still delivered the same DoublePulsar backdoor. However, against 64-bit targets it delivered only the custom payload. The attackers typically used it to execute shell commands that created new user accounts.

Bemstour was used again in June 2017 in an attack against an organization in Luxembourg. Unlike earlier attacks when Bemstour was delivered using Buckeye’s Pirpi backdoor, in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer). Between June and September 2017, Bemstour was also used against targets in the Philippines and Vietnam.

Development of Bemstour has continued into 2019. The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23, 2019, eleven days after the zero-day vulnerability was patched by Microsoft.

The purpose of all the attacks was to acquire a persistent presence on the victim’s network, meaning information theft was the most likely motive of the attacks.