China Hijacked an NSA Hacking Tool—and Used It for Years

More than four years after a mysterious group of hackers known as the Shadow Brokers began wantonly leaking secret NSA hacking tools onto the internet, the question that debacle raised—whether any intelligence agency can prevent its “zero-day” stockpile from falling into the wrong hands—still haunts the security community. That wound has now been reopened, with evidence that Chinese hackers obtained and reused another NSA hacking tool years before the Shadow Brokers brought it to light.

On Monday, the security firm Check Point revealed that it had discovered evidence that a Chinese group known as APT31, also known as Zirconium or Judgment Panda, had somehow gained access to and used a Windows-hacking tool known as EpMe created by the Equation Group, a security industry name for the highly sophisticated hackers widely understood to be a part of the NSA. According to Check Point, the Chinese group in 2014 built their own hacking tool from EpMe code that dated back to 2013. The Chinese hackers then used that tool, which Check Point has named “Jian” or “double-edged sword,” from 2015 until March 2017, when Microsoft patched the vulnerability it attacked. That would mean APT31 had access to the tool, a “privilege escalation” exploit that would allow a hacker who already had a foothold in a victim network to gain deeper access, long before the late 2016 and early 2017 Shadow Brokers leaks.

Only in early 2017 did Lockheed Martin discover China’s use of the hacking technique. Because Lockheed has largely US customers, Check Point speculates that the hijacked hacking tool may have been used against Americans. “We found conclusive evidence that one of the exploits that the Shadow Brokers leaked had somehow already gotten into the hands of Chinese actors,” says Check Point’s head of cyber research Yaniv Balmas. “And it not only got into their hands, but they repurposed it and used it, likely against US targets.”

A source familiar with Lockheed Martin’s cybersecurity research and reporting confirms to WIRED that the company found the Chinese hacking tool being used in a US private sector network—not its own or part of its supply chain—that was not part of the US defense industrial base, but declined to share more details. An email from a Lockheed Martin spokesperson responding to Check Point’s research states only that the company’s “cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties.”

Check Point’s findings aren’t the first time that Chinese hackers have reportedly repurposed an NSA hacking tool—or at least, an NSA hacking technique. Symantec in 2018 reported that another powerful Windows zero-day vulnerability, exploited in the NSA hacking tools EternalBlue and EternalRomance, had also been repurposed by Chinese hackers prior to their disastrous exposure by the Shadow Brokers. But in that case, Symantec noted that it didn’t seem that the Chinese hackers actually gained access to the NSA’s malware. Instead, it appeared they had seen the agency’s network communications and reverse engineered the techniques it used to build their own hacking tool.

APT31’s Jian tool, by contrast, appears to have been built by someone with hands-on access to the Equation Group’s compiled program, Check Point’s researchers say, in some cases duplicating arbitrary or nonfunctional parts of its code. “The Chinese exploit copied some part of the code, and in some cases they seem like they didn’t really understand what they copied and what it does,” says Check Point researcher Itay Cohen.

While Check Point states with certainty that the Chinese group took its Jian hacking tool from the NSA, there’s some room for debate as to its origins, says Jake Williams, the founder of Rendition Infosec and a former NSA hacker. He points out that Check Point reconstructed that code’s history by looking at compile times, which could be faked. There could even be a missing, earlier sample that shows the tool originated with the Chinese hackers and was taken by the NSA, or even that it started with a third hacker group. “I think they have a field-of-view bias by saying this was definitely stolen from NSA,” Williams says. “But for whatever it’s worth, if you forced me to put money on who had it first, I’d say NSA.”