In mid-2016, a hacker group called The Shadow Brokers publicly released a series of hacking tools, cyber weapons and exploits “0-day”That would have come from the Equation Group, a hacker group that would be affiliated with Tailored Access Operations (TAO), a unit of the US government's National Security Agency (NSA).

Extremely sophisticated, these tools targeted corporate firewalls, antivirus software and Microsoft products. Once on the loose, they gave rise to malware like WannaCry e NotPetya. Both were responsible for two large-scale cyberattacks in 2016 and 2017, which affected thousands of computers and caused hundreds of thousands of dollars of damage to companies around the world.


But according to security company Check Point Research, this was not the only time that cyber-weapons developed by the US government fell into the hands of others. A recent analysis claims that an Equation Group exploit called EpMe was in the hands of a Chinese hacker group called APT31, and was used against American companies, years before the incident with The Shadow Brokers.

Like EquationGroup, APT31 would also be linked to a government, the Chinese, and its main purpose would be to steal information and intellectual property from opponents.

According to Check Point, the EpMe files were in the hands of APT31 two years before the Shadow Brokers incident, that is, since 2014. A Chinese variant of EpMe was in use since 2015 and was named by Jian's Check Point .

Timeline details the main moments in the history of EpMe / Jian, a US cyber weapon that was captured by the Chinese.
EpMe / Jian timeline. Image: Checkpoint Research

The name is a reference to a double-edged Chinese sword, used over 2.500 years ago. It alludes to the fact that the exploit was created to attack US enemies, but has turned against companies in the country.


Jian would have been used for two years, until 2017, when the American company's incident response team Lockheed Martin reported an attempted attack to Microsoft.

Interestingly, one of the “0-day” bugs used by the exploit was fixed by Microsoft in 2017, without an identifier in the Common Vulnerabilities and Exposures (CVE) database, used to identify security flaws.

CheckPoint Research's analysis is quite extensive and technical, and points out the numerous similarities between EpMe and Jian, both in their source code and in the mode of operation.

According to the company, the US exploit could have fallen into the hands of the Chinese in three ways: captured during an Equation Group operation against a Chinese target, captured during an Equation Group operation against an unidentified “third”, whose network was being monitored by APT31, or captured during an attack on the Equation Group infrastructure.

Source: Check Point Research