Chinese Hackers Had Access to NSA Tools Years Longer Than We Thought

A Chinese hacking group known as the Shadow Brokers first came into the light in 2016. That’s when the hackers announced that they had stolen sensitive tools from the National Security Agency (NSA).

The bad news just got worse. New evidence shows that the Shadow Brokers had stolen another NSA tool years before the 2016 revelation.

New Evidence Shows That Chinese Hacker Group Was More Active Than Previously Thought

The American-Israeli security firm Check Point released new, ‘conclusive’ evidence indicating foul play from a Chinese hacking group. Take a deep breath–this is about to get dense.

It announced that a Chinese group known as APT31, also known as Judgement Panda or Zirconium, had infiltrated EpMe, a Windows hacking tool created by the Equation Group. The Equation Group is a team of highly sophisticated hackers generally known to be part of the NSA.

Check Point
Check Point gives us a detailed timeline of the attacks. | Source: Check Point

Check Point says that the Chinese hackers created an EpMe hacking tool in 2014. They then used that tool, which Check Point had labeled “Jian” or ‘double-edged sword,’ from 2015 to 2017–when Microsoft fixed the tool’s vulnerability.

The EpMe exploit contained ‘4 Windows Privilege Escalation’ exploits. These would give hackers who’ve already infiltrated a network deeper access into the system.

How Did This Happen?

APT31’s exploit was first reported by Lockheed Martin’s Computer Incident Response Team.

Because Lockheed Martin largely serves U.S. customers, Check Point theorizes that the exploits were used against American targets.

However, the firm does not know how the Chinese hackers gained access to the NSA’s tool. It’s possible that it was stolen from EpMe malware that the Equation Group had used against China. Check Point also speculates that the group could’ve taken it from a third-party server where Equation Group had stored it. And it’s even possible that APT31 had stolen the code directly from the NSA’s network.

None of these possibilities are encouraging. Either the hackers stole it from American hackers who tried to infiltrate China, or the Chinese hackers breached one of the most secure institutions in the country.

Global Cyber Warfare Is Rising

APT31 is known to be a ‘state-sponsored hacking collective.’ The group allegedly carries out reconnaissance operations for the Chinese government. In October, the group was believed to be behind a phishing campaign targeted against the Trump and Biden campaigns’ staffers.

The group tried to get staffers to download a new, legitimate version of McAfee anti-virus software. Once downloaded, they would silently sneak in malware onto the user’s device.

And of course, there were also the wide-ranging attacks on SolarWinds and FireEye last year. The fallout from those massive breaches is still being calculated. But experts attribute the attack on another nation-state, this time Russia.

North Korean hackers were just charged for an 11-year, billion-dollar plot.

According to Google alone, government-backed hackings are far more common than most people would’ve guessed. It sent over 30,000 ‘Government-Back Attacker Warnings’ through just three quarters of 2020.

2020 was a busy year for nosy government bodies across the world. |
Source: Google

It’s no wonder that U.S. President Joe Biden is hoping to dedicate $9 billion to the nation’s cybersecurity.

While you may or may not become the target of foreign cyber espionage, remember to practice good cyber hygiene to keep yourself safe.

Create long, varied passwords, especially for sensitive accounts. Be aware of URLs, email addresses, and other general inconsistencies from ‘familiar services that may actually a phishing attempt. Enable two-factor authentication wherever you can.

And if you think you’ve been hacked, reach out to us immediately.

Featured image by BeeBright from Shutterstock.