An unidentified group of hackers that are referred to as Shadow Brokers posted several NSA hacking tools online in 2016 and 2017. But a new report reveals that some of the NSA’s malware tools were reversed-engineered long before that by Chinese hackers who then used them in cyberattacks targeting other countries.
Security researchers from Symantec believe that the Chinese did not steal the tools directly from the NSA. Instead, they discovered an NSA attack on their own computers, captured the code, and then repurposed it to serve their interests. This happened in March 2016, well before the August 2016 Shadow Brokers leak, The New York Times reports.
The Chinese group responsible for the hacking tool “heist” is believed to be the most dangerous Chinese hacker organization that the NSA tracks. This group, which Symantec refers to as the Buckeye group, is responsible for attacks on various US targets, including space, satellite and nuclear propulsion technology makers.
The report says the attackers used the NSA tools to target five countries, including Belgium, Hong Kong, Luxembourg, the Philippines, and Vietnam. Buckeye did not use the tools against the US, the report notes, either for fear of having their trick discovered, or thinking that US targets would already have patches in place that would prevent the hack from working.
“This is the first time we’ve seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others,” Symantec security director Eric Chien said.
Separately, Russia and North Korea are believed to have used some of the leaked NSA tools to target several objectives in previous years, including the British health care system, the Maersk shipping corporation, Merck, as well as various critical Ukraine services. But all of that happened only after the NSA tools were leaked.
The report notes that the Buckeye group “went dark” once the Justice Department indicted three of its members in 2018. But the repurposed tools were still used in attacks in Europe and Asia through last September.