According to a recent blog posting by Symantec, the Chinese were using NSA Hacking Tools that were later released by the Shadow Brokers. The Hacking Tools were developed by the NSA alone.
Symantec found evidence that the Buckeye cyber espionage group (aka APT3, Gothic Panda) began using Equation Group tools in hacking attacks at least a year prior to the Shadow Brokers leak.
Beginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor that was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar.
Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers. One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec. The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak.
The zero-day vulnerability hacking allows for the leaking of information and can be exploited in conjunction with other vulnerabilities to attain remote kernel code execution. It was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019.
How Buckeye obtained Equation Group hacking tools at least a year prior to the Shadow Brokers leak remains unknown. The tools were developed by NSA but the vulnerabilities were not disclosed until after the leak.
Buckeye disappeared in mid-2017 and three alleged members of the group were indicted in the U.S. in November 2017. However, while activity involving known Buckeye tools ceased in mid-2017, the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware.0