By , and
Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.
Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.
The Chinese action shows how proliferating cyberconflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries’ infrastructure.
The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world’s most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key.
The Chinese hacking group that co-opted the N.S.A.’s tools is considered by the agency’s analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo reviewed by The New York Times. The group is responsible for numerous attacks on some of the most sensitive defense targets inside the United States, including space, satellite and nuclear propulsion technology makers.
Now, Symantec’s discovery, , suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.
Some of the same N.S.A. hacking tools acquired by the Chinese were later dumped on the internet and used by Russia and North Korea in devastating global attacks, although there appears to be no connection between China’s acquisition of the American cyberweapons and the Shadow Brokers’ later revelations.
But Symantec’s discovery that Chinese state-sponsored hackers acquired some of the tools months before the Shadow Brokers first appeared on the internet in August 2016.
Repeatedly over the past decade, American intelligence agencies have had their hacking tools and details about highly classified cybersecurity programs resurface in the hands of other nations or criminal groups.
The N.S.A. used sophisticated malware to destroy Iran’s nuclear centrifuges — and then saw the same code proliferate around the world, doing damage to random targets, including American business giants like Chevron. Details of secret American cybersecurity programs were disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A. cyberweapons, , was posted on WikiLeaks.
“We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies,” said Eric Chien, a security director at Symantec.
Now that nation-state cyberweapons have been leaked, hacked and repurposed by American adversaries, Mr. Chien added, it is high time that nation states “bake that into” their analysis of the risk of using cyberweapons — and the very real possibility they will be reassembled and shot back at the United States or its allies.
In the latest case, Symantec researchers are not certain exactly how the Chinese obtained the American-developed code. But they know that Chinese intelligence contractors used the repurposed American tools to carry out cyberintrusions in at least five countries or territories: Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. The targets included scientific research organizations, educational institutions and the computer networks of at least one American government ally.
One attack on a major telecommunications network may have given Chinese intelligence officers access to hundreds of thousands or millions of private communications, Symantec said.
Symantec did not explicitly name China in its research. Instead, it identified the attackers as the Buckeye group, Symantec’s own term for hackers that the Department of Justice and several other cybersecurity firms have identified as a Chinese Ministry of State Security contractor operating out of Guangzhou.
Because cybersecurity companies operate globally, they often concoct their own nicknames for government intelligence agencies to avoid offending any government; Symantec and other firms refer to N.S.A. hackers as the Equation group. Buckeye is also referred to as APT3, for Advanced Persistent Threat, and other names.
In 2017, the Justice Department announced in the group Symantec calls Buckeye. While prosecutors did not assert that the three were working on behalf of the Chinese government, and the classified N.S.A. memo that was reviewed by The Times made clear the group contracted with the Ministry of State Security and had carried out sophisticated attacks on the United States.
A , issued last week, describes Beijing as among the most skilled and persistent players in military, intelligence and commercial cyberoperations, seeking “to degrade core U.S. operational and technological advantages.”
In this case, however, the Chinese simply seem to have spotted an American cyberintrusion and snatched the code, often developed at huge expense to American taxpayers.
Symantec discovered that as early as March 2016, the Chinese hackers were using tweaked versions of two N.S.A. tools, called Eternal Synergy and Double Pulsar, in their attacks. Months later, in August 2016, the Shadow Brokers released their first samples of stolen N.S.A. tools, followed by their April 2017 internet dump of its entire collection of N.S.A. exploits.
Symantec researchers noted that there were many previous instances in which malware discovered by cybersecurity researchers was released publicly on the internet and subsequently grabbed by spy agencies or criminals and used for attacks. But they did not know of a precedent for the Chinese actions in this case — covertly capturing computer code used in an attack, then co-opting it and turning it against new targets.
“This is the first time we’ve seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others,” Mr. Chien said.
The Chinese appear not to have turned the weapons back against the United States, for two possible reasons, Symantec researchers said. They might assume Americans have developed defenses against their own weapons, and they might not want to reveal to the United States that they had stolen American tools.
For American intelligence agencies, Symantec’s discovery presents a kind of worst-case scenario that United States officials have said they try to avoid using a White House program known as the Vulnerabilities Equities Process.
Under that process, started in the Obama administration, a White House cybersecurity coordinator and representatives from various government agencies weigh the trade-offs of keeping the American stockpile of undisclosed vulnerabilities secret. Representatives debate the stockpiling of those vulnerabilities for intelligence gathering or military use against the very real risk that they could be discovered by an adversary like the Chinese and used to hack Americans.
The Shadow Brokers’ release of the N.S.A.’s most highly coveted hacking tools in 2016 and 2017 forced the agency to turn over its arsenal of software vulnerabilities to Microsoft for patching and to shut down some of the N.S.A.’s most sensitive counterterrorism operations, two former N.S.A. employees said.
The N.S.A.’s tools were picked up by North Korean and Russian hackers and used for attacks that crippled the British health care system, shut down operations at the shipping corporation Maersk and cut short critical supplies of a vaccine manufactured by Merck. In Ukraine, the Russian attacks paralyzed critical Ukrainian services, including the airport, Postal Service, gas stations and A.T.M.s.
“None of the decisions that go into the process are risk free. That’s just not the nature of how these things work,” said Michael Daniel, the president of the Cyber Threat Alliance, who previously was cybersecurity coordinator for the Obama administration. “But this clearly reinforces the need to have a thoughtful process that involves lots of different equities and is updated frequently.”
Beyond the nation’s intelligence services, the process involves agencies like the Department of Health and Human Services and the Treasury Department that want to ensure N.S.A. vulnerabilities will not be discovered by adversaries or criminals and turned back on American infrastructure, like hospitals and banks, or interests abroad.
That is exactly what appears to have happened in Symantec’s recent discovery, Mr. Chien said. In the future, he said, American officials will need to factor in the real likelihood that their own tools will boomerang back on American targets or allies. An N.S.A. spokeswoman said the agency had no immediate comment on the Symantec report.
One other element of Symantec’s discovery troubled Mr. Chien. He noted that even though the Buckeye group went dark after the Justice Department indictment of three of its members in 2017, the N.S.A.’s repurposed tools continued to be used in attacks in Europe and Asia through last September.
“Is it still Buckeye?” Mr. Chien asked. “Or did they give these tools to another group to use? That is a mystery. People come and go. Clearly the tools live on.”
May 25, 2019
For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services.
But here is what frustrated city employees and residents do not know: A key component of the malware that cybercriminals used in the attack was developed at taxpayer expense a short drive down the Baltimore-Washington Parkway at the National Security Agency, according to security experts briefed on the case.
Since 2017, when , EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving billions of dollars in damage. But over the past year, the cyberweapon has boomeranged back and is now showing up in the N.S.A.’s own backyard.
It is not just in Baltimore. Security experts say EternalBlue attacks , and cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs.
The N.S.A. connection to the attacks on American cities has not been previously reported, in part because the agency has refused to discuss or even acknowledge the loss of its cyberweapon, dumped online in April 2017 by a still-unidentified group calling itself . Years later, the agency and the Federal Bureau of Investigation still do not know whether the Shadow Brokers are foreign spies or disgruntled insiders.
Thomas Rid, a cybersecurity expert at Johns Hopkins University, called the Shadow Brokers episode “the most destructive and costly N.S.A. breach in history,” more damaging than the better-known leak in 2013 from Edward Snowden, the former N.S.A. contractor.
“The government has refused to take responsibility, or even to answer the most basic questions,” Mr. Rid said. “Congressional oversight appears to be failing. The American people deserve an answer.”
The N.S.A. and F.B.I. declined to comment.
Since that leak, foreign intelligence agencies and rogue actors have used EternalBlue to spread malware that has paralyzed hospitals, airports, rail and shipping operators, A.T.M.s and factories that produce critical vaccines. Now the tool is hitting the United States where it is most vulnerable, in local governments with aging digital infrastructure and fewer resources to defend themselves.
Before it leaked, EternalBlue was one of the most useful exploits in the N.S.A.’s cyberarsenal. According to three former N.S.A. operators who spoke on the condition of anonymity, analysts spent almost a year finding a flaw in Microsoft’s software and writing the code to target it. Initially, they referred to it as EternalBluescreen because it often crashed computers — a risk that could tip off their targets. But it went on to become a reliable tool used in countless intelligence-gathering and counterterrorism missions.
EternalBlue was so valuable, former N.S.A. employees said, that the agency never seriously considered alerting Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand.
The , on May 7, was a assault. City workers’ screens suddenly locked, and a message in flawed English demanded about $100,000 in Bitcoin to free their files: “We’ve watching you for days,” said the message, . “We won’t talk more, all we know is MONEY! Hurry up!”
Today, Baltimore remains handicapped as city officials refuse to pay, though workarounds have restored some services. Without EternalBlue, the damage would not have been so vast, experts said. The tool exploits a vulnerability in unpatched software that allows hackers to spread their malware faster and farther than they otherwise could.
North Korea was the first nation to co-opt the tool, for an attack in 2017 — called WannaCry — that paralyzed the British health care system, German railroads and some 200,000 organizations around the world. Next was Russia, which used the weapon in an attack — called NotPetya — that was aimed at Ukraine but spread across major companies doing business in the country. The assault cost FedEx more than $400 million and Merck, the pharmaceutical giant, $670 million.
The damage didn’t stop there. In the past year, the same Russian hackers who targeted the 2016 American presidential election used EternalBlue to compromise hotel Wi-Fi networks. Iranian hackers have used it to spread ransomware and hack airlines in the Middle East, according to researchers at the security firms Symantec and FireEye.
“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used,” said Vikram Thakur, Symantec’s director of security response.
One month before the Shadow Brokers began dumping the agency’s tools online in 2017, the N.S.A. — aware of the breach — reached out to Microsoft and other tech companies to inform them of their software flaws. Microsoft released a patch, but hundreds of thousands of computers worldwide remain unprotected.
Hackers seem to have found a sweet spot in Baltimore, Allentown, Pa., San Antonio and other local, American governments, where public employees oversee tangled networks that often use out-of-date software. Last July, the that state and local governments were getting hit by particularly destructive malware that now, security researchers say, has started relying on EternalBlue to spread.
Microsoft, which tracks the use of EternalBlue, would not name the cities and towns affected, citing customer privacy. But other experts briefed on the attacks in Baltimore, Allentown and San Antonio confirmed the hackers used EternalBlue. Security responders said they were seeing EternalBlue pop up in attacks almost every day.
Amit Serper, head of security research at Cybereason, said his firm had responded to EternalBlue attacks at three different American universities, and found vulnerable servers in major cities like Dallas, Los Angeles and New York.
The costs can be hard for local governments to bear. The Allentown attack, in February last year, disrupted city services for weeks and cost about $1 million to remedy — plus another $420,000 a year for new defenses, said Matthew Leibert, the city’s chief information officer.
He described the package of dangerous computer code that hit Allentown as “commodity malware,” sold on the dark web and used by criminals who don’t have specific targets in mind. “There are warehouses of kids overseas firing off phishing emails,” Mr. Leibert said, like thugs shooting military-grade weapons at random targets.
The malware that hit San Antonio last September infected a computer inside Bexar County sheriff’s office and tried to spread across the network using EternalBlue, according to two people briefed on the attack.
This past week, researchers at the security firm Palo Alto Networks discovered that a Chinese state group, Emissary Panda, had hacked into Middle Eastern governments using EternalBlue.
“You can’t hope that once the initial wave of attacks is over, it will go away,” said Jen Miller-Osborn, a deputy director of threat intelligence at Palo Alto Networks. “We expect EternalBlue will be used almost forever, because if attackers find a system that isn’t patched, it is so useful.”
Until a decade or so ago, the most powerful cyberweapons belonged almost exclusively to intelligence agencies — N.S.A. officials used the term “NOBUS,” for “nobody but us,” for vulnerabilities only the agency had the sophistication to exploit. But that advantage has hugely eroded, not only because of the leaks, but because anyone can grab a cyberweapon’s code once it’s used in the wild.
Some F.B.I. and Homeland Security officials, speaking privately, said more accountability at the N.S.A. was needed. A former F.B.I. official likened the situation to a government failing to lock up a warehouse of automatic weapons.
In an interview in March, Adm. Michael S. Rogers, who was director of the N.S.A. during the Shadow Brokers leak, suggested in unusually candid remarks that the agency should not be blamed for the long trail of damage.
“If Toyota makes pickup trucks and someone takes a pickup truck, welds an explosive device onto the front, crashes it through a perimeter and into a crowd of people, is that Toyota’s responsibility?” he asked. “The N.S.A. wrote an exploit that was never designed to do what was done.”
At Microsoft’s headquarters in Redmond, Wash., where thousands of security engineers have found themselves on the front lines of these attacks, executives reject that analogy.
“I disagree completely,” said Tom Burt, the corporate vice president of consumer trust, insisting that cyberweapons could not be compared to pickup trucks. “These exploits are developed and kept secret by governments for the express purpose of using them as weapons or espionage tools. They’re inherently dangerous. When someone takes that, they’re not strapping a bomb to it. It’s already a bomb.”
Brad Smith, Microsoft’s president, has called for a to govern cyberspace, including a pledge by governments to report vulnerabilities to vendors, rather than keeping them secret to exploit for espionage or attacks.
Last year, Microsoft, along with Google and Facebook, joined 50 countries in signing on to a similar call by French President Emmanuel Macron — the Paris Call for Trust and Security in Cyberspace — to end “malicious cyber activities in peacetime.”
Notably absent from the signatories were the world’s most aggressive cyberactors: China, Iran, Israel, North Korea, Russia — and the United States.