The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made public

Check Point says Beijing 'reconstructed' Equation Group's hacking tool long before leak

A zero-day exploit said to have been developed by the NSA was cloned and used by Chinese government hackers on Windows systems years before the cyber-weapon was leaked online, it is claimed.

Check Point put out a report on Monday digging into Chinese malware it calls Jian, and argues persuasively this particular software nasty was spawned sometime around 2014 from NSA exploit code that eventually leaked online in 2017.

The timeline basically seems to be, according to Check Point:

  • 2013: NSA's Equation Group developed a set of exploits including one called EpMe that elevates one's privileges on a vulnerable Windows system to system-administrator level, granting full control. This allows someone with a foothold on a machine to commandeer the whole box.
  • 2014-2015: China's hacking team code-named APT31, aka Zirconium, developed Jian by, one way or another, cloning EpMe.
  • Early 2017: The Equation Group's tools were teased and then leaked online by a team calling itself the Shadow Brokers. Around that time, Microsoft cancelled its February Patch Tuesday, identified the vulnerability exploited by EpMe (CVE-2017-0005), and fixed it in a bumper March update. Interestingly enough, Lockheed Martin was credited as alerting Microsoft to the flaw, suggesting it was perhaps used against an American target.
  • Mid 2017: Microsoft quietly fixed the vulnerability exploited by the leaked EpMo exploit.

It could be that Beijing obtained a copy of Equation Group's EpMe, or observed it being used and recreated it, and used it while the hole in Microsoft's Windows remained unfixed. Or the Chinese could have found the same bug within the OS. Check Point reckons the code was lifted rather than a coincidence:

Our research started by analyzing “Jian”, the Chinese (APT31 / Zirconium) exploit for CVE-2017-0005, which was reported by Lockheed Martin’s Computer Incident Response Team. To our surprise, we found out that this APT31 exploit was in fact a reconstructed version of an Equation Group exploit, dubbed “EpMe”. This means that a Chinese-affiliated group used an Equation Group exploit possibly against American targets.

The case of “EpMe” / “Jian” is unique, as we have evidence that “Jian” was constructed from the actual sample of the Equation Group exploit. Having dated the APT31’s samples to 3 years prior to the Shadow Broker’s leak, our hypothesis is that these Equation Group exploit samples could have been acquired by the Chinese APT in one of the following ways: Captured during an Equation Group network operation on a Chinese target; Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT; Captured by the Chinese APT during an attack on Equation Group infrastructure.

The full sleuthing is outlined in an extensive technical report, and again raises the question over whether it is in the US intelligence community’s best interests to share the details of any exploitable vulnerabilities they find – rather than try to keep them a secret and use them themselves – because, ultimately the tools will leak (or the bugs be discovered by others) and expose US businesses and institutions to hacking attempts.

More damage

The Shadow Brokers were also responsible for leaking the Eternal series of exploits that were later used to spread software nasties, such as the Wannacry ransomware and NotPetya malware.

The Zirconium hacking crew, meanwhile, was accused of menacing candidates in America's 2020 elections. It also opens the possibility that the nightmare hack of US government departments and Fortune 500 companies through SolarWinds networking software was the result of US-government developed exploits that had been directed back at the US.

The security researchers note that society still has an illogical perspective on cybersecurity. “What would you say if we told you that a foreign group managed to steal an American nuclear submarine? That would definitely be a bad thing, and would quickly reach every headline,” they note. “However, for cyber weapons – although their impact could be just as devastating – it’s usually a different story.”

They go on: “Cyber weapons are digital and volatile by nature. Stealing them and transferring from one continent to another, can be as simple as sending an email. They are also very obscure, and their mere existence is a closely guarded secret. That is exactly why, as opposed to a nuclear submarine, stealing a cyber-weapon can easily go under the radar and become a fact known only to a selected few.” ®

Biting the hand that feeds IT © 1998–2021