Large portions of APT3’s remote code-execution package were likely reverse-engineered from prior attack artifacts.

The advanced persistent threat (APT) group known as APT3, which researchers across the board link to the Chinese government, has built a full in-house battery of exploits and cybertools collectively dubbed “UPSynergy.” An analysis of the toolkit has uncovered a geopolitical cat-and-mouse spy game: It turns out that many parts of the package are likely gleaned from watching attacks by the National Security Agency’s Equation Group APT on target networks where APT3 also has a presence.

Prior research from Symantec shows that APT3 was able to acquire a variant of the NSA-developed cyberweapon known as EternalRomance – prior to the Shadow Brokers leak of the spy agency’s arsenal in 2017. It has been a bit of a mystery as to how APT3 accomplished that – but research from Check Point offers a hypothesis.