China hackers reverse engineered NSA spy tools, researchers say

1 min read

Chinese state-backed hackers reverse engineered tools used by a US-government affiliated hacking group, enabling them to expand their arsenal of espionage tactics without the need for a direct attack on US intelligence agencies, new research suggests.

Why it matters: Developing new tools for intrusion and espionage requires significant resources. The ability to mimic these tools instead allows hacking groups to develop their arsenal in a relatively short period of time.

  • The hackers are part of an advanced persistent threat (APT) group, which typically run extended intrusion campaigns and are backed by governments around the world.

Details: APT3, also known as the UPS Team, were able to engineer their own version of a network infiltration tool used by the Equation Group, a hacking collective linked to the National Security Agency (NSA), an American national intelligence unit.

  • The Equation Group’s tool was initially leaked online in 2017 by a clandestine group of hackers dubbed the Shadow Brokers. However, researchers found that a variant of this tool was used by Chinese hackers prior to the leak.
  • Researchers at cybersecurity firm Check Point said they cannot say with absolute certainty that the tools were developed in-house, but evidence indicates Chinese APT groups collect tools used against them to “reverse engineer and reconstruct them to create equally strong digital weapons.”
  • The researchers said that this could suggest the US and China are engaged in a “cyber arms race” to develop new cyber tools.

“We believe that this artifact was collected during an attack conducted by the Equation Group against a network monitored by APT3, allowing it to enhance its exploit arsenal with a fraction of the resources required to build the original tool.”

—Mark Lechtik and Nadav Grossman, researchers at cybersecurity firm Check Point

Context: APT3 is one of many Advanced Persistent Threat groups that are active in China. Others include APT41, APT40, and APT30.

  •  These groups typically have a specific area of focus, such as particular industries or geographies.
  • For example, APT41 is known for having targeted the healthcare, high-tech, and telecommunications sectors in more than a dozen countries. Meanwhile, APT40’s focus is on nations important to China’s controversial Belt and Road Initiative, as well as countries in Southeast Asia.