More than four years later mysterious group of hackers known as Shadow Brokers started for no reason NSA secret hacking tools leak on the Internet, the question raised by this debacle: if an intelligence agency can prevent its “zero-day” stock from fall into the wrong hands… Still haunts the security community. That wound has now been reopened, with evidence that Chinese hackers obtained and reused another NSA hack tool years before the Shadow Brokers revealed it.
On Monday, security firm Check Point revealed that it had discovered evidence that a Chinese group known as APT31, also known as Zirconium or Judgment Panda, had somehow gained access and used a Windows hacking tool known as EpMe created by Equation Group. , a security industry name for highly sophisticated hackers widely recognized as part of the NSA. According to Check Point, the Chinese group in 2014 built its own hacking tool from EpMe code from 2013. Chinese hackers then used this tool, which Check Point named “Jian” or “double-edged”, from from 2015 until March 2017, when Microsoft patched the attacked vulnerability. This would mean that APT31 would have access to the tool, a “privilege escalation” exploit that would allow a hacker who already had a foot in a network of victims to gain deeper access, long before the Shadow Brokers leaks. late 2016 and early 2017.
It wasn’t until early 2017 that Lockheed Martin discovered China’s use of the hacking technique. Because Lockheed largely has American customers, Check Point assumes that the hacked tool may have been used against Americans. “We found conclusive evidence that one of the exploits disclosed by the Shadow Brokers had already fallen into the hands of Chinese actors,” said Yaniv Balmas, head of cyber research at Check Point. “And not only did it get into their hands, but they reused it and used it, probably against US targets.”
The Check Point findings aren’t the first time Chinese hackers have repurposed an NSA hack tool – or at least, an NSA hack technique. Symantec in 2018 reported that another powerful Windows zero-day vulnerability, exploited in NSA hacking tools EternalBlue and EternalRomance, had also been reused by Chinese hackers before their disastrous exposure by Shadow Brokers. But in this case, Symantec noted that it didn’t appear that Chinese hackers actually had access to the NSA malware. Instead, it turned out that they had seen the agency’s network communications and reverse engineered the techniques used to create their own hacking tool.
APT31’s Jian tool, on the other hand, appears to have been built by someone with convenient access to the Equation Group’s compiled program, the Check Point researchers say, in some cases duplicating arbitrary or non-functional parts of his coded. “The Chinese exploit copied some of the code, and in some cases, they don’t seem to really understand what they copied and what it is doing,” says Itay Cohen, a researcher at Check Point.
While Check Point is confident that the Chinese group took its Jian hack tool from the NSA, there is room for debate as to its origins, says Jake Williams, founder of Rendition Infosec and former NSA hacker . He points out that Check Point has reconstructed the history of this code by looking at compilation times, which could be rigged. There might even be an earlier sample missing that shows the tool was created by Chinese hackers and was taken by the NSA, or even started with a third group of hackers. “I think they have a field of view bias saying it was definitely stolen from the NSA, “Williams says.” But for what it’s worth, if you made me put money on who got it first, I’d say NSA. “