How Chinese Spies Got the
N.S.A.’s Hacking Tools, and Used Them for Attacks
By Nicole
Perlroth, David E. Sanger and Scott Shane
New York Times
May 6,2019
Based on the timing of the attacks and clues
in the computer code, researchers with the firm Symantec believe the Chinese
did not steal the code but captured it from an N.S.A. attack on their own
computers — like a gunslinger who grabs an enemy’s rifle and starts blasting
away.
The Chinese action shows how proliferating
cyberconflict is creating a digital wild West with few rules or certainties,
and how difficult it is for the United States to keep track of the malware it
uses to break into foreign networks and attack adversaries’ infrastructure.
The losses have touched off a debate within
the intelligence community over whether the United States should continue to
develop some of the world’s most high-tech, stealthy cyberweapons if it is
unable to keep them under lock and key.
The Chinese hacking group that co-opted the
N.S.A.’s tools is considered by the agency’s analysts to be among the most
dangerous Chinese contractors it tracks, according to a classified agency memo
reviewed by The New York Times. The group is responsible for numerous attacks
on some of the most sensitive defense targets inside the United States,
including space, satellite and nuclear propulsion technology makers.
Now, Symantec’s discovery, unveiled on Monday, suggests that the same Chinese hackers
the agency has trailed for more than a decade have turned the tables on the
agency.
Some of the same N.S.A. hacking tools
acquired by the Chinese were later dumped on the internet by a still-unidentified group that calls itself the Shadow Brokers and
used by Russia and North Korea in devastating global attacks, although there appears
to be no connection between China’s acquisition of the American cyberweapons
and the Shadow Brokers’ later revelations.
But Symantec’s discovery provides the first evidence that Chinese
state-sponsored hackers acquired some of the tools months before the Shadow
Brokers first appeared on the internet in August 2016.
Repeatedly over the past decade, American
intelligence agencies have had their hacking tools and details about highly
classified cybersecurity programs resurface in the hands of other nations or
criminal groups.
The N.S.A. used sophisticated malware to
destroy Iran’s nuclear centrifuges — and then saw the same code proliferate
around the world, doing damage to random targets, including American business
giants like Chevron. Details of secret American cybersecurity programs were
disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now
living in exile in Moscow. A collection of C.I.A. cyberweapons, allegedly leaked by an insider, was posted on WikiLeaks.
“We’ve learned that you cannot guarantee your
tools will not get leaked and used against you and your allies,” said Eric
Chien, a security director at Symantec.
Now that nation-state cyberweapons have been
leaked, hacked and repurposed by American adversaries, Mr. Chien added, it is
high time that nation states “bake that into” their analysis of the risk of
using cyberweapons — and the very real possibility they will be reassembled and
shot back at the United States or its allies.
In the latest case, Symantec researchers are
not certain exactly how the Chinese obtained the American-developed code. But
they know that Chinese intelligence contractors used the repurposed American
tools to carry out cyberintrusions in at least five countries or territories:
Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. The targets
included scientific research organizations, educational institutions and the
computer networks of at least one American government ally.
One attack on a major telecommunications
network may have given Chinese intelligence officers access to hundreds of
thousands or millions of private communications, Symantec said.
Symantec did not explicitly name China in its
research. Instead, it identified the attackers as the Buckeye group, Symantec’s
own term for hackers that the Department of Justice and several other
cybersecurity firms have identified as a Chinese Ministry of State Security
contractor operating out of Guangzhou.
Because cybersecurity companies operate
globally, they often concoct their own nicknames for government intelligence
agencies to avoid offending any government; Symantec and other firms refer to
N.S.A. hackers as the Equation group. Buckeye is also referred to as APT3, for
Advanced Persistent Threat, and other names.
In 2017, the Justice Department
announced the indictment of three Chinese hackers in the group
Symantec calls Buckeye. While prosecutors did not assert that the three were
working on behalf of the Chinese government, independent researchers and the classified
N.S.A. memo that was reviewed by The Times made clear the group contracted with
the Ministry of State Security and had carried out sophisticated attacks on the
United States.
A Pentagon report about Chinese
military competition, issued last week, describes Beijing as among the
most skilled and persistent players in military, intelligence and commercial
cyberoperations, seeking “to degrade core U.S. operational and technological
advantages.”
In this case, however, the Chinese simply
seem to have spotted an American cyberintrusion and snatched the code, often
developed at huge expense to American taxpayers.
Symantec discovered that as early as March
2016, the Chinese hackers were using tweaked versions of two N.S.A. tools,
called Eternal Synergy and Double Pulsar, in their attacks. Months later, in
August 2016, the Shadow Brokers released their first samples of stolen N.S.A.
tools, followed by their April 2017 internet dump of its entire collection of
N.S.A. exploits.
Symantec researchers noted that there were
many previous instances in which malware discovered by cybersecurity
researchers was released publicly on the internet and subsequently grabbed by
spy agencies or criminals and used for attacks. But they did not know of a
precedent for the Chinese actions in this case — covertly capturing computer
code used in an attack, then co-opting it and turning it against new targets.
“This is the first time we’ve seen a case — that
people have long referenced in theory — of a group recovering unknown
vulnerabilities and exploits used against them, and then using these exploits
to attack others,” Mr. Chien said.
The Chinese appear not to have turned the
weapons back against the United States, for two possible reasons, Symantec
researchers said. They might assume Americans have developed defenses against
their own weapons, and they might not want to reveal to the United States that
they had stolen American tools.
For American intelligence agencies,
Symantec’s discovery presents a kind of worst-case scenario that United States
officials have said they try to avoid using a White House program known as the
Vulnerabilities Equities Process.
Under that process, started in the Obama
administration, a White House cybersecurity coordinator and representatives
from various government agencies weigh the trade-offs of keeping the American
stockpile of undisclosed vulnerabilities secret. Representatives debate the
stockpiling of those vulnerabilities for intelligence gathering or military use
against the very real risk that they could be discovered by an adversary like
the Chinese and used to hack Americans.
The Shadow Brokers’ release of the N.S.A.’s
most highly coveted hacking tools in 2016 and 2017 forced the agency to turn
over its arsenal of software vulnerabilities to Microsoft for patching and to
shut down some of the N.S.A.’s most sensitive counterterrorism operations, two
former N.S.A. employees said.
The N.S.A.’s tools were picked up by North
Korean and Russian hackers and used for attacks that crippled the British
health care system, shut down operations at the shipping corporation Maersk and
cut short critical supplies of a vaccine manufactured by Merck. In Ukraine, the
Russian attacks paralyzed critical Ukrainian services, including the airport,
Postal Service, gas stations and A.T.M.s.
“None of the decisions that go into the
process are risk free. That’s just not the nature of how these things work,”
said Michael Daniel, the president of the Cyber Threat Alliance, who previously
was cybersecurity coordinator for the Obama administration. “But this clearly
reinforces the need to have a thoughtful process that involves lots of
different equities and is updated frequently.”
Beyond the nation’s intelligence services,
the process involves agencies like the Department of Health and Human Services
and the Treasury Department that want to ensure N.S.A. vulnerabilities will not
be discovered by adversaries or criminals and turned back on American
infrastructure, like hospitals and banks, or interests abroad.
That is exactly what appears to have happened
in Symantec’s recent discovery, Mr. Chien said. In the future, he said,
American officials will need to factor in the real likelihood that their own
tools will boomerang back on American targets or allies. An N.S.A. spokeswoman
said the agency had no immediate comment on the Symantec report.
One other element of Symantec’s discovery
troubled Mr. Chien. He noted that even though the Buckeye group went dark after
the Justice Department indictment of three of its members in 2017, the N.S.A.’s
repurposed tools continued to be used in attacks in Europe and Asia through
last September.
“Is it still Buckeye?” Mr. Chien asked. “Or
did they give these tools to another group to use? That is a mystery. People
come and go. Clearly the tools live on.”
*********************
In Baltimore and Beyond, a
Stolen N.S.A. Tool Wreaks Havoc
By Nicole
Perlroth and Scott Shane
May 25, 2019
For nearly three weeks, Baltimore has
struggled with a cyberattack by digital extortionists that has frozen thousands
of computers, shut down email and disrupted real estate sales, water bills,
health alerts and many other services.
But here is what frustrated city employees
and residents do not know: A key component of the malware that cybercriminals
used in the attack was developed at taxpayer expense a short drive down the
Baltimore-Washington Parkway at the National Security Agency, according to
security experts briefed on the case.
Since 2017, when the
N.S.A. lost control of the tool, EternalBlue, it has been picked up by
state hackers in North Korea, Russia and, more recently, China, to cut a path
of destruction around the world, leaving billions of dollars in damage. But
over the past year, the cyberweapon has boomeranged back and is now showing up
in the N.S.A.’s own backyard.
It is not just in Baltimore. Security experts
say EternalBlue attacks have reached a high, and
cybercriminals are zeroing in on vulnerable American towns and cities, from
Pennsylvania to Texas, paralyzing local governments and driving up costs.
The
N.S.A. connection to the attacks on American cities has not been previously
reported, in part because the agency has refused to discuss or even acknowledge
the loss of its cyberweapon, dumped online in April 2017 by a
still-unidentified group calling itself the Shadow Brokers.
Years later, the agency and the Federal Bureau of Investigation still do not
know whether the Shadow Brokers are foreign spies or disgruntled insiders.
Thomas Rid, a cybersecurity expert at Johns
Hopkins University, called the Shadow Brokers episode “the most destructive and
costly N.S.A. breach in history,” more damaging than the better-known leak in
2013 from Edward Snowden, the former N.S.A. contractor.
“The government has refused to take
responsibility, or even to answer the most basic questions,” Mr. Rid said.
“Congressional oversight appears to be failing. The American people deserve an
answer.”
The N.S.A. and F.B.I. declined to comment.
Since that leak, foreign intelligence
agencies and rogue actors have used EternalBlue to spread malware that has
paralyzed hospitals, airports, rail and shipping operators, A.T.M.s and
factories that produce critical vaccines. Now the tool is hitting the United
States where it is most vulnerable, in local governments with aging digital
infrastructure and fewer resources to defend themselves.
Before it leaked, EternalBlue was one of the
most useful exploits in the N.S.A.’s cyberarsenal. According to three former
N.S.A. operators who spoke on the condition of anonymity, analysts spent almost
a year finding a flaw in Microsoft’s software and writing the code to target
it. Initially, they referred to it as EternalBluescreen because it often
crashed computers — a risk that could tip off their targets. But it went on to
become a reliable tool used in countless intelligence-gathering and
counterterrorism missions.
EternalBlue was so valuable, former N.S.A.
employees said, that the agency never seriously considered alerting Microsoft
about the vulnerabilities, and held on to it for more than five years before the
breach forced its hand.
The Baltimore attack, on May
7, was a classic ransomware assault. City workers’ screens
suddenly locked, and a message in flawed English demanded about $100,000 in
Bitcoin to free their files: “We’ve watching you for days,” said the
message, obtained by The Baltimore Sun. “We won’t talk more, all we
know is MONEY! Hurry up!”
Today, Baltimore remains handicapped as city
officials refuse to pay, though workarounds have restored some services.
Without EternalBlue, the damage would not have been so vast, experts said. The
tool exploits a vulnerability in unpatched software that allows hackers to
spread their malware faster and farther than they otherwise could.
North Korea was the first nation to co-opt
the tool, for an attack in 2017 — called WannaCry — that paralyzed the British
health care system, German railroads and some 200,000 organizations around the
world. Next was Russia, which used the weapon in an attack — called NotPetya —
that was aimed at Ukraine but spread across major companies doing business in
the country. The assault cost FedEx more than $400 million and Merck, the
pharmaceutical giant, $670 million.
The damage didn’t stop there. In the past
year, the same Russian hackers who targeted the 2016 American presidential
election used EternalBlue to compromise hotel Wi-Fi networks. Iranian hackers
have used it to spread ransomware and hack airlines in the Middle East,
according to researchers at the security firms Symantec and FireEye.
“It’s incredible that a tool which was used
by intelligence services is now publicly available and so widely used,” said
Vikram Thakur, Symantec’s director of security response.
One month before the Shadow Brokers began
dumping the agency’s tools online in 2017, the N.S.A. — aware of the breach —
reached out to Microsoft and other tech companies to inform them of their
software flaws. Microsoft released a patch, but hundreds of thousands of
computers worldwide remain unprotected.
Hackers seem to have found a sweet spot in
Baltimore, Allentown, Pa., San Antonio and other local, American governments,
where public employees oversee tangled networks that often use out-of-date
software. Last July, the Department of Homeland Security
issued a dire warning that state and local governments were getting
hit by particularly destructive malware that now, security researchers say, has
started relying on EternalBlue to spread.
Microsoft, which tracks the use of
EternalBlue, would not name the cities and towns affected, citing customer
privacy. But other experts briefed on the attacks in Baltimore, Allentown and
San Antonio confirmed the hackers used EternalBlue. Security responders said
they were seeing EternalBlue pop up in attacks almost every day.
Amit Serper, head of security research at Cybereason,
said his firm had responded to EternalBlue attacks at three different American
universities, and found vulnerable servers in major cities like Dallas, Los
Angeles and New York.
The costs can be hard for local governments
to bear. The Allentown attack, in February last year, disrupted city services
for weeks and cost about $1 million to remedy — plus another $420,000 a year
for new defenses, said Matthew Leibert, the city’s chief information officer.
He described the package of dangerous computer
code that hit Allentown as “commodity malware,” sold on the dark web and used
by criminals who don’t have specific targets in mind. “There are warehouses of
kids overseas firing off phishing emails,” Mr. Leibert said, like thugs
shooting military-grade weapons at random targets.
The malware that hit San Antonio last
September infected a computer inside Bexar County sheriff’s office and tried to
spread across the network using EternalBlue, according to two people briefed on
the attack.
This past week, researchers at the security
firm Palo Alto Networks discovered that a Chinese state group, Emissary Panda,
had hacked into Middle Eastern governments using EternalBlue.
“You can’t hope that once the initial wave of
attacks is over, it will go away,” said Jen Miller-Osborn, a deputy director of
threat intelligence at Palo Alto Networks. “We expect EternalBlue will be used
almost forever, because if attackers find a system that isn’t patched, it is so
useful.”
Until a decade or so ago, the most powerful
cyberweapons belonged almost exclusively to intelligence agencies — N.S.A.
officials used the term “NOBUS,” for “nobody but us,” for vulnerabilities only
the agency had the sophistication to exploit. But that advantage has hugely
eroded, not only because of the leaks, but because anyone can grab a
cyberweapon’s code once it’s used in the wild.
Some F.B.I. and Homeland Security officials,
speaking privately, said more accountability at the N.S.A. was needed. A former
F.B.I. official likened the situation to a government failing to lock up a
warehouse of automatic weapons.
In an interview in March, Adm. Michael S.
Rogers, who was director of the N.S.A. during the Shadow Brokers leak,
suggested in unusually candid remarks that the agency should not be blamed for
the long trail of damage.
“If Toyota makes pickup trucks and someone
takes a pickup truck, welds an explosive device onto the front, crashes it
through a perimeter and into a crowd of people, is that Toyota’s
responsibility?” he asked. “The N.S.A. wrote an exploit that was never designed
to do what was done.”
At Microsoft’s headquarters in Redmond,
Wash., where thousands of security engineers have found themselves on the front
lines of these attacks, executives reject that analogy.
“I disagree completely,” said Tom Burt, the
corporate vice president of consumer trust, insisting that cyberweapons could
not be compared to pickup trucks. “These exploits are developed and kept secret
by governments for the express purpose of using them as weapons or espionage
tools. They’re inherently dangerous. When someone takes that, they’re not
strapping a bomb to it. It’s already a bomb.”
Brad Smith, Microsoft’s president, has called
for a “Digital Geneva Convention” to govern cyberspace,
including a pledge by governments to report vulnerabilities to vendors, rather
than keeping them secret to exploit for espionage or attacks.
Last year, Microsoft, along with Google and
Facebook, joined 50 countries in signing on to a similar call by French
President Emmanuel Macron — the Paris Call for Trust and Security in Cyberspace
— to end “malicious cyber activities in peacetime.”
Notably absent from the signatories were the
world’s most aggressive cyberactors: China, Iran, Israel, North Korea, Russia —
and the United States.