A group of suspected Chinese hackers may have stole access to an NSA cyberweapon and repurposed it to attack targets back in 2016, according to new research.
The attacks involved an NSA hacking tool called “Double Pulsar,” which can secretly download additional malware to a Windows PC. On Monday, Symantec said it found evidence that the NSA cyberweapon was bundled with a suspected Chinese-made hacking tool to attack a target in Hong Kong and then another in Belgium in March 2016.
At the time, the tool was only capable of attacking 32-bit systems. But in Sept. 2016, the Chinese-made hacking tool struck again, this time with the ability to attack 64-bit machines and newer Windows operating systems.
How the Chinese hackers learned of Double Pulsar remains unknown. But Symantec speculates they may have captured some network traffic of the NSA using Double Pulsar in actual attack. That network traffic was then used to piece together how the NSA cyberweapon worked.
“This marks the first time Symantec has seen a case —long referenced in theory— of an attack group recovering otherwise unknown exploits and tools to subsequently attack others,” the security firm said in a statement.
It’s also possible the Chinese hackers obtained Double Pulsar through other means, like accessing a poorly-secured NSA server. Another scenario is that an NSA employee went rogue and leaked Double Pulsar to the Chinese.
Whatever the case may be, the findings underscore the risks of NSA cyberweapons falling into the wrong hands. Double Pulsar, itself, is no longer a secret. In April 2017, a mysterious party called the Shadow Brokers went online and dumped a cache of NSA hacking tools, which included details on Double Pulsar. A month later, the same NSA hacking tools were used to launch Wannacry, a ransomware attack that hit Windows machines across the world.
Who the Shadows Brokers are remains a mystery. But according to Symantec, the Chinese hacking group that gained access to Double Pulsar no longer appears to be active. In Nov. 2017, the US publicly charged three members of the group with hacking crimes and intellectual property theft.
However, the Chinese-made hacking tool they created continues to live on. In addition to using Double Pulsar, it exploited a previously unknown vulnerability in Windows to attack computers. However, Microsoft patched the vulnerability this March.
So far, the NSA hasn’t responded to Symantec’s research. Symantec is also refraining from specifically naming the US and China as sponsors behind any of the malware attacks discussed in its research.
“While other organizations have linked Buckeye to China and the NSA to Equation Group, Symantec’s research only refers to the attack groups Buckeye/Equation Group and does not link any of these attack groups with specific nation states or government organizations,” the security firm said. “This is an important distinction as assessing, and identifying with absolute confidence, who or what organization is directing or funding the activity is complex. We focus primarily on the tools, tactics and techniques of attack groups in order to protect our customers across the globe.”