How Chinese spies got the NSA's hacking tools, and used them for attacks

The server room at Symantec. The company provided the first evidence that Chinese state-sponsored hackers had aquired some of the NSA's cybertools. Photo / Michal Czerwonka, The New York Times

Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack US allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.

Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an NSA attack on their own computers — like a gunslinger who grabs an enemy's rifle and starts blasting away.

The Chinese action shows how proliferating cyberconflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries' infrastructure.

The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world's most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key.

The Chinese hacking group that co-opted the NSA's tools is considered by the agency's analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo reviewed by The New York Times. The group is responsible for numerous attacks on some of the most sensitive defense targets inside the United States, including space, satellite and nuclear propulsion technology makers.

Now, Symantec's discovery, unveiled Monday, suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.

Some of the same NSA hacking tools acquired by the Chinese were later dumped on the internet by a still-unidentified group that calls itself the Shadow Brokers and used by Russia and North Korea in devastating global attacks, although there appears to be no connection between China's acquisition of the US cyberweapons and the Shadow Brokers' later revelations.

But Symantec's discovery provides the first evidence that Chinese state-sponsored hackers acquired some of the tools months before the Shadow Brokers first appeared on the internet in August 2016.

Repeatedly over the past decade, US intelligence agencies have had their hacking tools and details about highly classified cybersecurity programs resurface in the hands of other nations or criminal groups.

The NSA used sophisticated malware to destroy Iran's nuclear centrifuges — and then saw the same code proliferate around the world, doing damage to random targets, including US business giants like Chevron. Details of secret US cybersecurity programs were disclosed to journalists by Edward Snowden, a former NSA contractor now living in exile in Moscow. A collection of CIA cyberweapons, allegedly leaked by an insider, was posted on WikiLeaks.

"We've learned that you cannot guarantee your tools will not get leaked and used against you and your allies," said Eric Chien, a security director at Symantec.

Now that nation-state cyberweapons have been leaked, hacked and repurposed by US adversaries, Chien added, it is high time that nation states "bake that into" their analysis of the risk of using cyberweapons — and the very real possibility they will be reassembled and shot back at the United States or its allies.

In the latest case, Symantec researchers are not certain exactly how the Chinese obtained the US-developed code. But they know that Chinese intelligence contractors used the repurposed US tools to carry out cyberintrusions in at least five countries: Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. The targets included scientific research organisations, educational institutions and the computer networks of at least one US government ally.

One attack on a major telecommunications network may have given Chinese intelligence officers access to hundreds of thousands or millions of private communications, Symantec said.

Symantec did not explicitly name China in its research. Instead, it identified the attackers as the Buckeye group, Symantec's own term for hackers that the Department of Justice and several other cybersecurity firms have identified as a Chinese Ministry of State Security contractor operating out of Guangzhou.

Because cybersecurity companies operate globally, they often concoct their own nicknames for government intelligence agencies to avoid offending any government; Symantec and other firms refer to NSA hackers as the Equation group. Buckeye is also referred to as APT3, for Advanced Persistent Threat, and other names.

In 2017, the Justice Department announced the indictment of three Chinese hackers in the group Symantec calls Buckeye. While prosecutors did not assert that the three were working on behalf of the Chinese government, independent researchers and the classified NSA memo that was reviewed by The Times made clear the group contracted with the Ministry of State Security and had carried out sophisticated attacks on the United States.

A Pentagon report about Chinese military competition, issued last week, describes Beijing as among the most skilled and persistent players in military, intelligence and commercial cyberoperations, seeking "to degrade core U.S. operational and technological advantages."

In this case, however, the Chinese simply seem to have spotted a U.S. cyberintrusion and snatched the code, often developed at huge expense to American taxpayers.

Symantec discovered that as early as March 2016, the Chinese hackers were using tweaked versions of two NSA tools, called Eternal Synergy and Double Pulsar, in their attacks. Months later, in August 2016, the Shadow Brokers released their first samples of stolen NSA tools, followed by their April 2017 internet dump of its entire collection of NSA exploits.

Symantec researchers noted that there were many previous instances in which malware discovered by cybersecurity researchers was released publicly on the internet and subsequently grabbed by spy agencies or criminals and used for attacks. But they did not know of a precedent for the Chinese actions in this case — covertly capturing computer code used in an attack, then co-opting it and turning it against new targets.

"This is the first time we've seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others," Chien said.

The Chinese appear not to have turned the weapons back against the United States, for two possible reasons, Symantec researchers said. They might assume Americans have developed defences against their own weapons, and they might not want to reveal to the United States that they had stolen US tools.

For US intelligence agencies, Symantec's discovery presents a kind of worst-case scenario that US officials have said they try to avoid using a White House program known as the Vulnerabilities Equities Process.

Under that process, started in the Obama administration, a White House cybersecurity coordinator and representatives from various government agencies weigh the trade-offs of keeping the US stockpile of undisclosed vulnerabilities secret. Representatives debate the stockpiling of those vulnerabilities for intelligence gathering or military use against the very real risk that they could be discovered by an adversary like the Chinese and used to hack Americans.

The Shadow Brokers' release of the NSA's most highly coveted hacking tools in 2016 and 2017 forced the agency to turn over its arsenal of software vulnerabilities to Microsoft for patching and to shut down some of the NSA's most sensitive counterterrorism operations, two former NSA employees said.

The NSA's tools were picked up by North Korean and Russian hackers and used for attacks that crippled the British health care system, shut down operations at shipping corporation Maersk and cut short critical supplies of a vaccine manufactured by Merck. In Ukraine, the Russian attacks paralysed critical Ukrainian services, including the airport, Postal Service, gas stations and ATMs.

"None of the decisions that go into the process are risk-free. That's just not the nature of how these things work," said Michael Daniel, president of the Cyber Threat Alliance, who previously was cybersecurity coordinator for the Obama administration. "But this clearly reinforces the need to have a thoughtful process that involves lots of different equities and is updated frequently."

Beyond the nation's intelligence services, the process involves agencies like the Department of Health and Human Services and the Treasury Department that want to ensure NSA vulnerabilities will not be discovered by adversaries or criminals and turned back on American infrastructure, like hospitals and banks, or interests abroad.

That is exactly what appears to have happened in Symantec's recent discovery, Chien said. In the future, he said, US officials will need to factor in the real likelihood that their own tools will boomerang back on US targets or allies. An NSA spokeswoman said the agency had no immediate comment on the Symantec report.

One other element of Symantec's discovery troubled Chien. He noted that even though the Buckeye group went dark after the Justice Department indictment of three of its members in 2017, the NSA's repurposed tools continued to be used in attacks in Europe and Asia through September 2018.

"Is it still Buckeye?" Chien asked. "Or did they give these tools to another group to use? That is a mystery. People come and go. Clearly the tools live on."

Written by: Nicole Perlroth, David E. Sanger and Scott Shane
Photographs by: Michal Czerwonka

© 2019 THE NEW YORK TIMES