New research suggests a hacking tool previously developed by the National Security Agency was stolen years ago by a prolific Chinese cyber group and was subsequently used against a variety of U.S. targets.
Researchers with Israeli security firm Check Point Research say they have found evidence that APT 31, a state-sponsored hacking group from China, somehow lifted code from an NSA tool way back in 2014, then co-opted and adapted it for their own hacking operations.
Researchers have nicknamed the tool “Jian.” It would appear “Jian” helped hackers escalate privileges—i.e., push further inside a victim’s compromised network or system. Check Point says APT 31 used it for a period of at least three years, from 2014 until 2017, when Microsoft patched the vulnerability associated with it. U.S. defense giant Lockheed Martin is suspected of being one of the targets of such campaigns.
The NSA’s cyber weapons are believed to have been stolen by foreign hacking groups multiple times before. The most infamous incident occurred in 2017, when some of the agency’s most eyebrow-raising cyber tools were spilled all over the internet by a group calling themselves the “Shadow Brokers.” The mysterious “Brokers” somehow managed to get their hands on tools used by the Tailored Access Operations unit (also called the “Equation Group”), the agency’s sophisticated hacker cell responsible for developing highly advanced cyber weaponry.
Check Point researchers claim “Jian” is also a product of the Equation Group, but say they have “strong evidence” that the tool was actually stolen prior to the “Shadow Brokers” leak. As explanation, researchers offer the idea that China may have been able to co-opt NSA tools if they had caught the U.S. agency hacking them. Or, if they had been monitoring another machine that the NSA was also trying to hack. Researchers write:
Having dated APT31’s samples to 3 years prior to the Shadow Broker’s [leak]…our estimate is that these Equation Group exploit samples could have been acquired by the Chinese APT in one of these ways:
- Captured during an Equation Group network operation on a Chinese target.
- Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT.
- Captured by the Chinese APT during an attack on Equation Group infrastructure.
The alleged hacker group behind “Jian,” APT 31, is known for specializing in intellectual property theft (the group also goes by colorful nicknames such as “Zirconium” and “Judgment Panda”). FireEye describes them as having a broad range of targets, including “government, international financial organization, and aerospace and defense organizations” and “high tech, construction and engineering, telecommunications, media, and insurance.” The group has also previously been linked to hacks of U.S. presidential campaigns, including Joe Biden’s.