A Chinese threat group was using hacking tools developed by the NSA more than a year before Shadow Brokers leaked them in April 2017, tools that were later used in highly destructive attacks such as the WannaCry ransomware campaign from May 2017.
The Buckeye threat group (also known to researchers as Gothic Panda, TG-0110, UPS, and APT3) has been active since at least 2010, it is credited by experts for running Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap [
1,
2,
3], and for mainly attacking U.S. entities with a sudden switch to Hong Kong targets
back in 2015.
The
indictment of three APT3 members by the U.S. government in November 2017 is the thing that really brought the group in the spotlight, with the three Chinese hackers being accused of infiltrating the computing systems of Moody’s Analytics, Siemens, and Trimble between 2011 and May 2017.
As unearthed by Symantec, the Chinese-backed Buckeye was using NSA hacking tools 13 months before they were leaked by Shadow Brokers—the hacking group who stole them—in April 2017, together with a "previously unknown Windows zero-day vulnerability that Symantec discovered (which has since been patched by Microsoft)."