More than four years later mysterious group of hackers known as Shadow Brokers started for no reason NSA secret hacking tools leak on the Internet, the question that this debacle raised – whether an intelligence agency can prevent its zero-day stock from fall into the wrong hands… Still haunts the security community. That wound has now been reopened, with evidence that Chinese hackers obtained and reused another NSA hack tool years before the Shadow Brokers revealed it.
On Monday, security firm Check Point revealed that it had uncovered evidence that a Chinese group known as APT31, also known as Zirconium or Judgment Panda, somehow had other had access to a Windows hacking tool called EpMe created by the Equation group. , a security industry name for highly sophisticated hackers widely recognized as part of the NSA. According to Check Point, the Chinese group in 2014 built its own hacking tool from EpMe code dating back to 2013. Chinese hackers then used this tool, which Check Point named “Jian” or “double-edged”, from from 2015 until March 2017, when Microsoft patched the attacked vulnerability. This would mean that APT31 would have access to the tool, a “privilege escalation” exploit that would allow a hacker who already had a foot in a network of victims to gain deeper access, long before the Shadow Brokers leaks. late 2016 and early 2017.
It wasn’t until early 2017 that Lockheed Martin discovered China’s use of the hacking technique. Because Lockheed largely has American customers, Check Point assumes that the hacked tool may have been used against Americans. “We found conclusive evidence that one of the exploits disclosed by the Shadow Brokers had already fallen into the hands of Chinese actors,” said Yaniv Balmas, head of cyber research at Check Point. “And it not only came into their hands, but they reused it and used it, probably against American targets.”
A source familiar with Lockheed Martin’s cybersecurity research and reports confirms to WIRED that the company discovered that the Chinese hack tool was being used in a US private sector network – not its own or part of its chain of supply – which was not part of the US defense industrial base. , but declined to share further details. An email from a Lockheed Martin spokesperson responding to Check Point’s research only states that “the company’s cybersecurity team regularly assesses third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties ”.
The Check Point findings aren’t the first time Chinese hackers have repurposed an NSA hack tool – or at least, an NSA hack technique. Symantec in 2018 reported that another powerful Windows zero-day vulnerability, mined in NSA hacking tools EternalBlue and EternalRomance, had also been reused by Chinese hackers before their disastrous exposure by Shadow Brokers. But in this case, Symantec noted that it doesn’t appear that Chinese hackers actually had access to the NSA malware. Instead, it turned out that they had seen the agency’s network communications and reverse engineered the techniques used to create their own hacking tool.
APT31’s Jian tool, on the other hand, appears to have been built by someone with convenient access to the Equation Group’s compiled program, the Check Point researchers say, in some cases duplicating arbitrary or non-functional parts of his coded. “The Chinese exploit copied some of the code, and in some cases, they don’t seem to really understand what they copied and what it does,” says Itay Cohen, a researcher at Check Point.
While Check Point is confident that the Chinese group took its Jian hack tool from the NSA, there is room for debate as to its origins, says Jake Williams, founder of Rendition Infosec and former NSA hacker. . He points out that Check Point reconstructed the history of this code by examining build times, which could be rigged. There might even be an earlier sample missing that shows the tool was created by Chinese hackers and was taken by the NSA, or even started with a third group of hackers. “I think they have a field of view bias saying it was definitely stolen from the NSA, “Williams says.” But for what it’s worth, if you made me put money on whoever had it first, I’d say NSA. “