Chinese intelligence agents stole hacking tools from the National Security Agency (NSA) and used them in cyberattacks against targets in the U.S., Europe and Asia, cybersecurity experts have found.
Symantec researchers say the spies then repurposed the tools in order to wage several attacks on U.S. targets in 2016, including highly sensitive defense targets, such as technology companies in the space, satellite and nuclear industries, according to a New York Times report on Monday.
The activities were carried out by hackers identified as contractors for the Chinese government, which researchers labeled “the Buckeye group.” The group has been active since at least 2009. Three hackers with connections to the group were indicted by the U.S. Department of Justice in 2017.
“This is the first time we’ve seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others,” Eric Chien, a security director at Symantec, told the Times.
China was attacked by NSA hackers — and grabbed their hacking tools, then used them against many targets. A tale from the digital wild west, where there aren’t a lot of rules. With @nicoleperlroth and @SangerNYT https://t.co/n9cVscFQTF
— Scott Shane (@ScottShaneNYT) May 7, 2019
The hackers used the hijacked tools in other cyberattacks on a range of targets in Belgium, Hong Kong, Luxembourg, the Philippines and Vietnam. The industries of the targets were much different, as some consisted of schools, while others were scientific research organizations.
Symantec added that a single attack on a major telecommunications network could yield between hundreds of thousands or millions of communication data that ends up in China’s hands.
The tools were later dumped online by a group only known as “the Shadow Brokers.” North Korean and Russian hackers reportedly picked up the tools and used them in their own cyberattacks.
Researchers are still trying to determine how the Buckeye group acquired the tools, since it appears they began using them in March 2016, and somehow acquired them before the August 2016 leak by Shadow Brokers.
“We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies,” Chien said.
Shadow Brokers then dumped a collection of stolen NSA exploits in April 2017.
It’s not the first time that hacking tools of U.S. intelligence agencies have been stolen and acquired by foreign nations.
After the NSA used complex malware in an attack on Iran’s nuclear centrifuges, they later discovered the code being used globally, including in an attack against U.S. company Chevron.
Last week’s Department of Defense report stated that China’s “cyber-enabled campaigns threaten to erode U.S. military advantages and imperil the infrastructure and prosperity on which those advantages rely.”