China thrilled it captured already-leaked NSA cyber-weapon
Not now with your mischief, Beijing
China claims it has obtained malware used by the NSA to steal files, monitor and redirect network traffic, and remotely control computers to spy on foreign targets.
The software nasty, dubbed NOPEN, is built to commandeer selected Unix and Linux systems, according to Chinese Communist Party tabloid Global Times, which today cited a report it got exclusively from China's National Computer Virus Emergency Response Center.
Trouble is, NOPEN was among the files publicly leaked in 2016 by the Shadow Brokers. If you can recall back that far, the Shadow Brokers stole and dumped online malware developed by the NSA's Equation Group.
At the time, security researchers at Vectra analyzed NOPEN in the leaked materials, and described it as a remote-access trojan for Unix-flavored systems, which matches the NOPEN Global Times got excited about today.
In effect, Global Times has told us China has "captured a spy tool deployed by the US National Security Agency," which would be a spy tool we've known about for years.
Why China would like the world to once again know about NOPEN is anyone's guess. Perhaps Beijing wanted to counter claims by the West that China has been spying on organizations and ripping off their intellectual property, or hoped to inject some extra mischief into the tense standoff between Russia, China, and the West over President Putin's bloody invasion of Ukraine.
The NSA used NOPEN to take over "a large number" of computers around the world, and the theft of data from this equipment has caused "inestimable losses," we were told today. The American malware would install a backdoor that once activated would allow miscreants to connect in, extract files, change the operation of the system, and explore the network for other resources to hijack or steal, it is claimed.
The NSA declined to comment on NOPEN and other claims of spies-doing-spying in the article.
Obviously the Middle Kingdom would never stoop to such tactics and be a major source of cyber-attacks against America; target Microsoft Exchange Server; nor exploit a cow-counting web app to snoop on US state governments.
This follows a Global Times report that claimed the NSA has been using cyber-weapons to attack almost 50 countries and regions for a decade with a specific focus on Chinese government agencies, high-tech firms, and military-related institutes.
- Cow-counting app abused by China 'to spy on US states'
- China: Attacks from US IP addresses hit us, moved on to Russia and Ukraine
- Viasat, Rosneft hit by cyberattacks as Ukraine war spills online
- Dunno about you, but we're seeing an 800% increase in cyberattacks, says one MSP
We note NOPEN wasn't the only NSA-developed code to land in the wrong hands. The WannaCry ransomware outbreak of 2017 used the Equation Group's EternalBlue tool to exploit a vulnerability in Microsoft's SMB file sharing services. Eternalblue was stolen and dumped online by the Shadow Brokers before North Korean-backed criminals used it in WannaCry to infect hospitals, banks, and other businesses across 150 countries.
The Global Times also cited an anonymous Chinese cybersecurity expert who said NOPEN is or was the primary weapon in the NSA's cyber arsenal. "The vast majority of the NSA's arsenal consists of stealth fighters and submarines that can easily attack victims without their knowledge," the expert reportedly said. ®
Editor's note: This article was revised to include NOPEN's connection to the Equation Group and Shadow Brokers.
- Black Hat
- Central Intelligence Agency
- China Mobile
- China telecom
- China Unicom
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Cyberspace Administration of China
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Federal government of the United States
- Foreign Intelligence Surveillance Act
- Great Firewall
- Hong Kong
- Identity Theft
- Kenna Security
- New Mexico
- Palo Alto Networks
- Semiconductor Manufacturing International Corporation
- Trusted Platform Module
- United States Armed Forces
- United States Department of Commerce
- Uyghur Muslims
- Zero trust