A hacker group linked to the Chinese government found and repurposed a set of the National Security Agency’s (NSA) cyberweapons against targets in Europe and Asia beginning in 2016, according to cybersecurity firm Symantec.
Symantec’s findings, released Monday, said the cyberweapons were used at least a year before a massive leak by a group calling itself the Shadow Brokers made public some of the NSA’s most powerful cyber tools – suggesting the China-linked hackers gained access to them earlier and in a different way. The tools do not appear to have been used on targets within the U.S., Symantec said.
“It’s the first time we’ve ever seen this happen,” said Eric Chien, a security director at Symantec, in a phone interview with CBS News. “First, it’s definitely surprising they were able to recover these [tools]. It’s also surprising that they’ve been using them since 2016 – for two years – without anyone noticing.”
Symantec did not name any countries in its report and does not do so as a practice. It and other cybersecurity companies refer to the NSA as “Equation Group” and the group linked to China’s intelligence apparatus as “Buckeye Group,” which is also known as “APT3,” “Boyusec,” and “Gothic Panda.”
The U.S. Department of Justice charged three alleged members of Buckeye with hacking, IP theft, conspiracy and identity theft in 2017.
Symantec said it identified one “zero day” vulnerability – a piece of code that allows a hacker access to a machine without anyone on the other end clicking a link, opening an attachment, or using a website – in a piece of Microsoft software in 2018. When it looked back through its own archives at where else the code had been used, it found a variation of it employed by Buckeye in 2016 – well before thedumped this tool, alongside a trove of other NSA cyber weapons, in 2017. (The Microsoft vulnerability Symantec identified was patched in March 2019.)
While it was not entirely clear how Buckeye Group acquired the NSA’s tools, technical evidence gathered by Symantec indicated the group may have observed the NSA use them elsewhere before repurposing them for intrusions into systems in Hong Kong, the Philippines, Vietnam, Belgium and Luxembourg.
In a less likely but still possible scenario, according to Symantec, the tools may have been stolen by or leaked to Buckeye by an NSA insider.
The NSA did not immediately respond to a request for comment.
Chien said the incident, overall, “demonstrates the sophistication of the Buckeye Group,” which he said was known to be “prolific,” conducting attacks on a number of targets worldwide. In this case, he said, the tools were used on very few organizations.
“So it seems like they understood they had something extremely valuable and used them only on super-important targets,” Chien said.
Symantec’s report raises new questions about how well-guarded the United States’ cyber arsenal is and whether there are overlooked, latent risks to the U.S. conducting cyberattacks of its own.
“It definitely requires anyone conducting cyber offensive operations to add this to their calculus,” Chien said.
He also said the company would be looking for other, similar incidents.
“First is rarely the only,” he said.