Chinese hackers may have derived their hacking tools from ones stolen from the U.S. National Security Agency (NSA) in 2014 and copied, then used against U.S. targets for three years before discovery, according to a new report by the U.S.-Israeli cybersecurity firm Check Point.
On Monday, Check Point Research published a report detailing how a hacking tool used by Chinese government-linked hacking group APT 31 may have actually been derived from a hacking exploit known as EpMe which was linked to the NSA. The tool was similar to a hacking exploit leaked from the NSA in 2013 and this discovery could change the timeline for how long China has used the hacking tools against U.S. targets.
“The naming convention of the files and their context immediately caught us by surprise,” Check Point wrote. “We recognized them as part of the Shadow Brokers’ ‘Lost in Translation’ leak of Equation Group tools. Equation Group is the name given to an APT group which is believed to be the Tailored Access Operations (TAO) unit of the NSA.”
The hacking group APT 31, also known as Zirconium, was previously identified as the likely suspects behind a hacking exploit discovered by the cybersecurity team for U.S.-defense contractor Lockheed Martin and patched in March 2017. Lockheed Martin’s discovery of the hacking tool is indicative of the tool being used against U.S. targets. Check Point said APT 31’s hacking tool, called caught-in-the-wild exploit of CVE-2017-0005 or “Jian,” is actually a replica of the NSA Equation Group’s EpMe hacking tool.
“To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called ‘EpMe,'” Check Point wrote. “This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets.”
Check Point noted Chinese hacking groups have replicated NSA hacking tools in the past, but have only done so through captured computer network traffic they could then use to piece together the hacking tools.
“The case of EpMe / Jian is different, as we clearly showed that Jian was constructed from the actual 32-bits and 64-bits versions of the Equation Group exploit,” Check Point wrote. “This means that in this scenario, the Chinese APT acquired the exploit samples themselves, in all of their supported versions.”
Check Point believes APT 31 acquired the hacking tool in one of three ways; by recording the tools from an Equation Group operation against a Chinese target, by capturing the tool from an Equation Group operation on a third-party target China was also monitoring, or by a direct hacking attack on the Equation Group itself.
While Check Point believes the Jian hacking tool was copied from the NSA, that conclusion may require further scrutiny. Jake Williams, the founder of Rendition Infosec and a former NSA hacker, told WIRED magazine that Check Point reached its conclusions based on its own reconstruction of the hacking code’s history, by looking at code compile timelines, which he said can be faked. It is also possible that the NSA derived the hacking tool by replicating it from a different hacking group including China itself, or some other third party hacking group.
“I think they have a field-of-view bias by saying this was definitely stolen from NSA,” Williams told WIRED. “But for whatever it’s worth, if you forced me to put money on who had it first, I’d say NSA.”
Check Point’s head of cyber research Yaniv Balmas told WIRED that the discovery of China’s Jian hacking tool, and its potential NSA origin, raises concerns about the hacking tools falling into the wrong hands. Jian is the name for a Chinese double-edged sword and Balmas said the name is appropriate, “This is exactly the definition of a double-edged sword.”