How Chinese Spies Got the N.S.A.

ʼs Hacking Tools, and Used Them for Attacks - The New York Times 5/7/19, 11(07 AM

POLITICS

How Chinese Spies Got the

N.S.A.’s Hacking Tools,
and Used Them for Attacks
By Nicole Perlroth, David E. Sanger and Scott Shane

May 6, 2019

Chinese intelligence agents acquired National Security Agency hacking tools and
repurposed them in 2016 to attack American allies and private companies in Europe
and Asia, a leading cybersecurity firm has discovered. The episode is the latest
evidence that the United States has lost control of key parts of its cybersecurity
arsenal.

Based on the timing of the attacks and clues in the computer code, researchers with
the firm Symantec believe the Chinese did not steal the code but captured it from an
N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle
and starts blasting away.

The Chinese action shows how proliferating cyberconflict is creating a digital wild
West with few rules or certainties, and how difficult it is for the United States to keep
track of the malware it uses to break into foreign networks and attack adversaries’
infrastructure.

The losses have touched off a debate within the intelligence community over
whether the United States should continue to develop some of the world’s most high-
tech, stealthy cyberweapons if it is unable to keep them under lock and key.

https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html Page 1 of 6
How Chinese Spies Got the N.S.A.ʼs Hacking Tools, and Used Them for Attacks - The New York Times 5/7/19, 11(07 AM

The Chinese hacking group that co-opted the N.S.A.’s tools is considered by the
agency’s analysts to be among the most dangerous Chinese contractors it tracks,
according to a classified agency memo reviewed by The New York Times. The group
is responsible for numerous attacks on some of the most sensitive defense targets
inside the United States, including space, satellite and nuclear propulsion technology
makers.

Now, Symantec’s discovery, unveiled on Monday, suggests that the same Chinese
hackers the agency has trailed for more than a decade have turned the tables on the
agency.

Some of the same N.S.A. hacking tools acquired by the Chinese were later dumped
on the internet by a still-unidentified group that calls itself the Shadow Brokers and
used by Russia and North Korea in devastating global attacks, although there
appears to be no connection between China’s acquisition of the American
cyberweapons and the Shadow Brokers’ later revelations.

But Symantec’s discovery provides the first evidence that Chinese state-sponsored
hackers acquired some of the tools months before the Shadow Brokers first appeared
on the internet in August 2016.

Repeatedly over the past decade, American intelligence agencies have had their
hacking tools and details about highly classified cybersecurity programs resurface in
the hands of other nations or criminal groups.

The N.S.A. used sophisticated malware to destroy Iran’s nuclear centrifuges — and
then saw the same code proliferate around the world, doing damage to random
targets, including American business giants like Chevron. Details of secret American
cybersecurity programs were disclosed to journalists by Edward J. Snowden, a
former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A.
cyberweapons, allegedly leaked by an insider, was posted on WikiLeaks.

https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html Page 2 of 6
How Chinese Spies Got the N.S.A.ʼs Hacking Tools, and Used Them for Attacks - The New York Times 5/7/19, 11(07 AM

“We’ve learned that you cannot guarantee your tools will not get leaked and used
against you and your allies,” said Eric Chien, a security director at Symantec.

Now that nation-state cyberweapons have been leaked, hacked and repurposed by
American adversaries, Mr. Chien added, it is high time that nation states “bake that
into” their analysis of the risk of using cyberweapons — and the very real possibility
they will be reassembled and shot back at the United States or its allies.

In the latest case, Symantec researchers are not certain exactly how the Chinese
obtained the American-developed code. But they know that Chinese intelligence
contractors used the repurposed American tools to carry out cyberintrusions in at
least five countries: Belgium, Luxembourg, Vietnam, the Philippines and Hong
Kong. The targets included scientific research organizations, educational institutions
and the computer networks of at least one American government ally.

One attack on a major telecommunications network may have given Chinese

intelligence officers access to hundreds of thousands or millions of private
communications, Symantec said.

Symantec did not explicitly name China in its research. Instead, it identified the
attackers as the Buckeye group, Symantec’s own term for hackers that the
Department of Justice and several other cybersecurity firms have identified as a
Chinese Ministry of State Security contractor operating out of Guangzhou.

Because cybersecurity companies operate globally, they often concoct their own
nicknames for government intelligence agencies to avoid offending any government;
Symantec and other firms refer to N.S.A. hackers as the Equation group. Buckeye is
also referred to as APT3, for Advanced Persistent Threat, and other names.

https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html Page 3 of 6
How Chinese Spies Got the N.S.A.ʼs Hacking Tools, and Used Them for Attacks - The New York Times 5/7/19, 11(07 AM

In 2017, the Justice Department announced the indictment of three Chinese hackers
in the group Symantec calls Buckeye. While prosecutors did not assert that the three
were working on behalf of the Chinese government, independent researchers and the
classified N.S.A. memo that was reviewed by The Times made clear the group
contracted with the Ministry of State Security and had carried out sophisticated
attacks on the United States.

A Pentagon report about Chinese military competition, issued last week, describes
Beijing as among the most skilled and persistent players in military, intelligence and
commercial cyberoperations, seeking “to degrade core U.S. operational and
technological advantages.”

In this case, however, the Chinese simply seem to have spotted an American
cyberintrusion and snatched the code, often developed at huge expense to American
taxpayers.

Symantec discovered that as early as March 2016, the Chinese hackers were using
tweaked versions of two N.S.A. tools, called Eternal Synergy and Double Pulsar, in
their attacks. Months later, in August 2016, the Shadow Brokers released their first
samples of stolen N.S.A. tools, followed by their April 2017 internet dump of its entire
collection of N.S.A. exploits.

Symantec researchers noted that there were many previous instances in which
malware discovered by cybersecurity researchers was released publicly on the
internet and subsequently grabbed by spy agencies or criminals and used for
attacks. But they did not know of a precedent for the Chinese actions in this case —
covertly capturing computer code used in an attack, then co-opting it and turning it
against new targets.

https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html Page 4 of 6
How Chinese Spies Got the N.S.A.ʼs Hacking Tools, and Used Them for Attacks - The New York Times 5/7/19, 11(07 AM

“This is the first time we’ve seen a case — that people have long referenced in theory
— of a group recovering unknown vulnerabilities and exploits used against them,
and then using these exploits to attack others,” Mr. Chien said.

The Chinese appear not to have turned the weapons back against the United States,
for two possible reasons, Symantec researchers said. They might assume Americans
have developed defenses against their own weapons, and they might not want to
reveal to the United States that they had stolen American tools.

For American intelligence agencies, Symantec’s discovery presents a kind of worst-

case scenario that United States officials have said they try to avoid using a White
House program known as the Vulnerabilities Equities Process.

Under that process, started in the Obama administration, a White House

cybersecurity coordinator and representatives from various government agencies
weigh the trade-offs of keeping the American stockpile of undisclosed vulnerabilities
secret. Representatives debate the stockpiling of those vulnerabilities for intelligence
gathering or military use against the very real risk that they could be discovered by
an adversary like the Chinese and used to hack Americans.

The Shadow Brokers’ release of the N.S.A.’s most highly coveted hacking tools in
2016 and 2017 forced the agency to turn over its arsenal of software vulnerabilities to
Microsoft for patching and to shut down some of the N.S.A.’s most sensitive
counterterrorism operations, two former N.S.A. employees said.

The N.S.A.’s tools were picked up by North Korean and Russian hackers and used for
attacks that crippled the British health care system, shut down operations at the
shipping corporation Maersk and cut short critical supplies of a vaccine
manufactured by Merck. In Ukraine, the Russian attacks paralyzed critical
Ukrainian services, including the airport, Postal Service, gas stations and A.T.M.s.

https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html Page 5 of 6
How Chinese Spies Got the N.S.A.ʼs Hacking Tools, and Used Them for Attacks - The New York Times 5/7/19, 11(07 AM

“None of the decisions that go into the process are risk free. That’s just not the
nature of how these things work,” said Michael Daniel, the president of the Cyber
Threat Alliance, who previously was cybersecurity coordinator for the Obama
administration. “But this clearly reinforces the need to have a thoughtful process
that involves lots of different equities and is updated frequently.”

Beyond the nation’s intelligence services, the process involves agencies like the
Department of Health and Human Services and the Treasury Department that want
to ensure N.S.A. vulnerabilities will not be discovered by adversaries or criminals
and turned back on American infrastructure, like hospitals and banks, or interests
abroad.

That is exactly what appears to have happened in Symantec’s recent discovery, Mr.
Chien said. In the future, he said, American officials will need to factor in the real
likelihood that their own tools will boomerang back on American targets or allies. An
N.S.A. spokeswoman said the agency had no immediate comment on the Symantec
report.

One other element of Symantec’s discovery troubled Mr. Chien. He noted that even
though the Buckeye group went dark after the Justice Department indictment of
three of its members in 2017, the N.S.A.’s repurposed tools continued to be used in
attacks in Europe and Asia through last September.

“Is it still Buckeye?” Mr. Chien asked. “Or did they give these tools to another group
to use? That is a mystery. People come and go. Clearly the tools live on.”

A version of this article appears in print on May 7, 2019, on Page A9 of the New York edition with the headline: How Chinese Spies Got N.S.A.’s
Hacking Tools, and Went on the Attack

READ 133 COMMENTS

https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html Page 6 of 6