Chinese hackers stole another NSA-linked hacking tool, research finds

A growing body of research shows Chinese hackers going after NSA tools.
NSA, National Security Agency, RSA 2019, china nsa hacking tools, NSA cybersecurity directorate, ghidra vulnerability
(Scoop News Group photo)

The U.S. intelligence community was rocked in 2017 when a group of mysterious hackers known as the Shadow Brokers leaked a trove of National Security Agency hacking tools for public consumption.

The exact identity of the leakers remains unknown to this day. According to a growing body of security research, though, hackers with suspected links to the Chinese government may have had access to some of the same tools before they were published, and the Shadow Brokers may not be the only thieves the U.S. intelligence community has to worry about.

According to new research from Israeli security firm Check Point published Monday, a group of Chinese hackers known as APT31 appear to have copied an exploit developed by Equation Group, a hacking group broadly believed to be associated with the NSA, more than two years before the Shadow Brokers leaked the trove of NSA tools.

The exploit, which Check Point dubbed “Jian,” would have allowed attackers to run escalation of privileges against victims. While Jian was originally attributed to APT31 years ago, the tool was actually developed based on an NSA-linked tool called “EpMe,” according to Check Point’s analysis.


The Chinese hackers allegedly used Jian from 2014 through 2017, until Microsoft patched the vulnerability, according to Check Point. Lockheed Martin’s Computer Incident Response Team reported the Chinese-run operation to Microsoft in 2017, which Check Point says suggests the Chinese hackers were repurposing a U.S. intelligence agency’s tools to target American companies.

The research shows the resourcefulness of the APT31 group, which is known for its tenaciousness and which historically has targeted telecommunications and technology firms as well as non-governmental-organizations

It’s not the first time researchers have suggested that Chinese hackers gained access to NSA tools before the ShadowBrokers leaked their existence to the public.

A Chinese hacking group known as Winnti availed themselves of an NSA-linked implant years before the ShadowBrokers released the tool, ESET researchers found last year. Another Chinese hacking group, called APT3, or Buckeye, also had access to an NSA-linked backdoor and used it to infiltrate telecommunications companies around the world years before it was leaked, according to previous Symantec research.

There are a number of theories about how various Chinese hacking groups could have become aware of NSA’s tools before anyone else. Check Point previously assessed APT3 could have found the NSA-linked backdoor it used to target telecommunications firms by analyzing network traffic on a system that the NSA was targeting with the tool.


In much the same way, Check Point suggests the Chinese hackers could have uncovered the tools used in Jian if they had caught the NSA targeting their machines. The Chinese hackers could have also been monitoring or targeting a machine that the NSA simultaneously targeted. The Chinese hackers may have also found the exploit if they were monitoring or targeting NSA-linked infrastructure, Check Point posits.

The research about the NSA apparently losing control of its arsenal of exploits to Chinese hackers raises existential questions for the NSA — and intelligence agencies with cyber capabilities — about whether they can prevent their exploits from leaking and causing havoc on the world stage. And while the nature of how the Chinese hackers obtained the NSA-linked arsenal of tools remains obscured, information security researchers must wrestle with the fact that the overlaps could throw a wrench in attribution game plans.

The NSA declined to comment.

Military cyber commanders acknowledged in 2019 that when U.S. cyber-operators use exploits in the wild, there is always the possibility that other hackers can harness its power, learn from it or repurpose it.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts