May 7, 2019 - World

China-linked group used NSA hacking tools before they leaked

Sign on the road to NSA Headquarters

The entrance to NSA headquarters. Photo Saul Loeb/Getty Images

A China-linked espionage group weaponized an NSA hacking tool for its own uses a year before that tool was leaked by a group of hackers called the Shadow Brokers, Symantec reports.

Why it matters: There's a delicate balance governments have to weigh when they develop high tech hacking tools: Every tool relies on a security flaw that a company could fix if the government chose to notify them rather than exploit it for espionage. If third parties like China co-opt the tool or make use of the same vulnerability, that opens the way for other attackers to follow the same route.

Background: The Shadow Brokers leaked tools from the NSA's vaunted "Equation Group" starting in the summer of 2016 and continuing through 2017.

  • The tools were particularly potent; some of them were used in the devastating global NotPetya and WannaCry cyberattacks, both of which caused billions of dollars in damages.
  • But in March 2016, well before the the Shadow Brokers released a tool called "Double Pulsar," a group known alternately as Gothic Panda, APT 3 and Buckeye (the name Symantec uses) had already started using the tool in its own malware.
  • Buckeye appeared to go silent in 2017 after the Department of Justice indicted three operatives.

Details: Symantec does not attribute Buckeye to China. However, the U.S. and other private cybersecurity companies do.

  • The attacks from Buckeye also incorporated another security flaw exploited by the NSA toolkit without using the specific code, as well as a never before seen security vulnerability in Microsoft Windows, which Microsoft patched last month.
  • The attacks targeted telecommunications, education, research and scientific outfits in Belgium, Luxembourg, Hong Kong, Vietnam and the Philippines.
  • The Buckeye tools continued to be used into 2018. That means Buckeye either lasted longer than previously thought or handed off its tools to others.

The Shadow Brokers and Buckeye appear to have obtained different versions of DoublePulsar.

Go deeper