UPDATED 14:14 EST / MAY 07 2019

SECURITY

Symantec: NSA hacking tools fell into the hands of Chinese spies

Cybersecurity firm Symantec Corp. revealed Monday that cyberwarfare hacking tools developed by the U.S. National Security Agency have been repurposed and used by Chinese intelligence agents.

In the field of cybersecurity, as with any other data- and information-related industry, tools can be stolen and reverse-engineered. In the case of the NSA’s hacking tools, Symantec announced that the tools were repurposed in 2016 and used to attack the U.S. allies and various private businesses in Europe and Asia.

According to Symantec, based on research of the code it appears that the Chinese government did not steal the tools directly, but instead captured it during an attack on its systems.

A story in the New York Times cited a classified agency memo that said that the intelligence group that captured the code is considered one of the most dangerous Chinese contractors tracked by the NSA. Attacks this group is considered responsible for have targeted sensitive defense targets inside the US, including space, satellite and nuclear propulsion technology companies.

The tools, belonging to a hacking team known as the Equation Group, included many exploits for different computer systems that would allow attackers to take persistent control over machines. Named by Moscow-based Kaspersky Lab, the Equation Group was found to have clear NSA ties and had been part of numerous cyberattacks across the world for over a decade.

The tools were first discovered in the wild when they were released onto the internet by a hacker group known as the Shadow Brokers, who attempted to auction off the tools after claiming to have stolen them.

The information from Symantec reveals, however, that the tools were in use earlier than the Shadow Brokers claimed to have access to them, though there is no evidence of any connection between the Shadow Brokers and the actions of the Chinese government.

According to the Times, the repurposed tools have been used by the Chinese to attack targets in Belgium, Hong Kong, Luxembourg, the Philippines and Vietnam.

“This is the first time we’ve seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others,” Eric Chien, a security director at Symantec, told the Times.

The Symantec research does not directly cite the Chinese government, but instead mentions “the Buckeye cyber espionage group,” a team of hackers connected to cyber attacks identified as contractors for China.

So far, it appears that Buckeye, although in possession of the attack tools, had not turned them against the U.S. Symantec researchers believe there may be two possible reasons for this: the group may have assumed the U.S. already has defenses against its own tools and that the group did not want to reveal it had access to the stolen tools.

Amid the tools include an exploit called EternalBlue, which was used during the May 2017 WannaCry ransomware attacks. Another included a backdoor tool called Doublepulsar, an exploit that allows an attacker administrative access to a machine secretly, it could be delivered using a custom attack tool known as the Bemstour trojan — a program that tricks a user into running it, which then activates attack code.

The Buckeye Group itself ceased operation in mid-2017 after three alleged members of the group were indicted by the US Department of Justice. Although most of the tools associated with Buckeye also stopped being used around that time, both DoublePulsar and the Bemstour trojan continued to appear in the wild in 2018, but with different malware.

“Is it still Buckeye?” Mr. Chien said. “Or did they give these tools to another group to use? That is a mystery. People come and go. Clearly the tools live on.”

For its part, Symantec offers protection code against much of Buckeye’s malware tools including DoublePulsar and Bemstour.

Photo: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU