A National Security Agency (NSA) hacking tool was stolen by Chinese hackers in 2014 and used against US targets, according to researchers.
The NSA is tasked with protecting US digital communications and resources, as well as trying to crack the communications of entities the US considers hostile. The agency also engages in signal intelligence gathering, both foreign and domestic. As part of its activities, the NSA develops tools to help it crack encryption and hack into systems. The Tailored Access Operations (TAO) NSA unit, also known as the “Equation Group,” is primarily responsible for the latter realm of operations.
According to researchers at Check Point Research, it appears that one of the Equation Group’s tools was stolen by Chinese hackers in 2014. The group, APT31, is a state-sponsored hacking group.
This isn’t the first time NSA tools have been suspected of being stolen and used. In 2017, a group called the “Shadow Brokers” managed to gain access to and leak Equation Group tools. What makes this latest revelation so interesting, and disturbing, is that it predates the Shadow Brokers leak by more than two years.
APT31 used the NSA’s code and modified it to create their own version of the exploit called “Jian.”
We began with analyzing “Jian”, the Chinese (APT31 / Zirconium) exploit for CVE-2017-0005, which was reported by Lockheed Martin’s Computer Incident Response Team. To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called “EpMe”. This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets.
Check Point Research came to some disturbing conclusions regarding exactly how APT31 gained access to the NSA code.
The case of EpMe / Jian is different, as we clearly showed that Jian was constructed from the actual 32-bits and 64-bits versions of the Equation Group exploit. This means that in this scenario, the Chinese APT acquired the exploit samples themselves, in all of their supported versions. Having dated APT31’s samples to 3 years prior to the Shadow Broker’s “Lost in Translation” leak, our estimate is that these Equation Group exploit samples could have been acquired by the Chinese APT in one of these ways:
- Captured during an Equation Group network operation on a Chinese target.
- Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT.
- Captured by the Chinese APT during an attack on Equation Group infrastructure.
Needless to say, it’s disconcerting that an agency with the goal of protecting US communications seems to have such an issue keeping its most dangerous tools secure — tools that end up being used against the very targets its tasked with protecting.