New Delhi, Feb 23: In a daring incident, Chinese cybercriminals managed to steal, clone and use nation-grade cyber tools from none other than the US’ National Security Agency (NSA) to attack US targets.
The tool called “Jian” was actually a clone of software developed by the US National Security Agency (NSA)’s Equation Group, described as “one of the most sophisticated cyberattack groups in the world”, according to a report by Check Point Research.
“The caught-in-the-wild exploit of CVE-2017-0005, a 0-Day attributed by Microsoft to the Chinese APT31 (Zirconium), is in fact a replica of an Equation Group exploit code-named EpMe,” the researchers said.
Chinese bad actors had access to EpMe’s files, both their 32-bits and 64-bits versions, more than two years before the infamous Shadow Brokers leak.
In the Shadow Brokers leak, a mysterious group decided to publicly publish a wide range of cyber weapons allegedly developed by the Tailored Access Operations (TAO) unit of the NSA — also referred to as the ‘Equation Group’.
The Shadow Brokers leak led to some of the biggest cyber outbreaks in history — the most famous of which was the WannaCry attack causing hundreds of millions of dollars in damages to organisations across the globe – and which its implications are still relevant even three years after it happened.
According to the researchers, Jian which is a clone of “EpMe” and was also included in the Shadow Brokers leak has been “repurposed” by Chinese threat actors to attack US targets.
“Cyber weapons are digital and volatile by nature. Stealing them and transferring from one continent to another can be as simple as sending an email. They are also very obscure, and their mere existence is a closely guarded secret,” said Check Point researchers in a statement on Monday.
The APT31 exploit was reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, hinting at a possible attack against an American target.
A Lockheed Martin spokesperson told ZDNet that their cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly reports them to developers and other interested parties.
The interesting thing is, both EpMe and the Jian use the exact same hardcoded constants.
The fact that all of these constants are shared between the two samples, even the weird looking Unicode string above, just shows that one of the exploits was most probably copied from the other.
“One of the 0-Days in the framework, code-named EpMo, was never publicly discussed, and was patched by Microsoft with no apparent CVE-ID in May 2017. This was seemingly in response to the Shadow Brokers leak,” the cyber security team mentioned.