According to Symantec, Chinese spy group had been using NSA malware for over a year before the Shadow Brokers leaked the same exploits online, exposing them to the whole world. The group became well known after US authorities charged three hackers in late 2017. The US alleged that a cyber-security company, Boyusec, was acting as a front for the Chinese Ministry of State Security and had hacked western companies such as Moody's Analytics, Siemens, and Trimble.
Now, Symantec claims it discovered evidence that the same group had also used NSA-developed malware long before the same malware became widely available to anyone. Per a graphic released by Symantec, the Buckeye group had used a version of the DoublePulsar backdoor since March 2016, more than 13 months before it was leaked online.
CHINESE GROUP ACTIVELY USED THE NSA MALWARE IN ATTACKS
Symantec claims that the Buckeye group "typically used DoublePulsar to execute shell commands that created new user accounts," without realizing the tool's advanced stealth features that DoublePulsar possessed, and which would have allowed the hackers to carry out many more other operations that would have all stayed hidden.
The Buckeye group stopped using their version of the DoublePulsar backdoor in mid-2017 after other leaked NSA tools (such as the EternalBlue exploit) had garnered international fame after being used in some of the world's biggest cyber-incidents, such as the WannaCry and NotPetya ransomware outbreaks This was likely done because by that point, most cyber-security vendors were capable of detecting DoublePulsar infections, and using their version of DoublePulsar became inefficient.
The Infosec community believes that the Buckeye group found the backdoor deployed by the NSA on Chinese systems
The NSA was apparently using the malware against Chinese systems... The Chinese repurposed it and turned around and began using it themselves.