Chinese hackers then used NSA’s hacking tools and technology to target American allies.
Symantec researchers have discovered that in 2016, Chinese intelligence managed to repurpose hacking tools used by the National Security Agency (NSA) and exploit them to attack American private firms and allies across the globe.
In the new report published by The New York Times, it is revealed that primary targets of Chinese intelligence operatives were located in Asia and Europe.
Researchers believe that the Chinese government didn’t steal the code for NSA’s hacking tools/technology but obtained it from an NSA attack launched against their systems even before the Shadow Brokers leak. Researchers wrote that it was similar to “a gunslinger who grabs an enemy’s rifle and starts blasting away.”
“Symantec has now found evidence that a cyber espionage group began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak,” the company wrote in its blog post.
The hacking tools were then repurposed by Chinese hackers who launched several attacks against wide-range of industries including educational institutions, scientific research organizations, and space, satellite, and nuclear propulsion technology makers.
It is worth mentioning that these hacking tools were also leaked online by a group dubbed as the Shadow Brokers. One of the exploited hacking tools EternalBlue is currently being used by cyber criminals in several campaigns including in Beapy malware that has so far targeted thousands of businesses.
According to Symantec’s blog post, Chinese intelligence contractors are believed to have targeted US firms and allies in five countries, which include Hong Kong, Belgium, Vietnam, Luxembourg, and the Philippines. The hackers also attacked a mainstream telecommunication network that alone would have provided them access to tens of thousands of private conversations.
However, it must be noted that Symantec didn’t specifically name China but only identified that the hackers were the Buckeye group, also known as APT3. It is a term Symantec uses for hinting towards the involvement of the Chinese Ministry of State Security contractor that operated outside Guangzhou. In the same way, Symantec refers to hackers from the NSA as the Equation group.
Nevertheless, the company is still unclear how did the Buckeye group have access to these tools. Symantec’s security director Eric Chien told The New York Times that this is the first such case that they have identified.
“This is the first time we’ve seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others.”
Remember, in 2016, Shadow Brokers leaked a trove of data it stole from the NSA. The hacking group then started its monthly paid dump service to sell the leaked hacking tools to interested buyers and days later the same tools were used to spread the infamous and nasty WannaCry ransomware.