Israeli researchers have found out that Chinese spyware detected by Lockheed Martin’s Computer Incident Response Team in 2017 might have been stolen from the US National Security Agency’s break-in tools.
‘Jian’, a type of malware used by APT31 (a China-based Advanced Persistent Threat Group), had targeted US aerospace giant Lockheed Martin. In 2017, Lockheed Martin’s Computer Incident Response Team had detected it in their system and reported it to Microsoft, suggesting a possible cyber attack against an American target.
The Advanced Persistent Threat (APT31) is a China-based cyberespionage group focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages.
It has targeted government, international financial organizations, aerospace and defense companies as well as construction, engineering, telecommunications, media, and insurance firms.
Tel Aviv-based Check Point Software Technologies has released a report revealing that some features in a piece of China-linked malware Jian were similar to the codes of the National Security Agency break-in tools leaked on the internet in 2017.
According to the report, a state-sponsored hacking group from China lifted some codes from NSA’s hacking tool, which was developed back in 2014. They used these codes for creating new tools for surveillance and hacking activities.
Researchers have said that the tool allowed hackers to gain super privileges, meaning penetrating further into a compromised network or system to gain more access. Check Point’s head of research Yaniv Balmas called ‘Jian’ “kind of a copycat, a Chinese replica.”
While there has been no comment from the US or China on the claims, a researcher with Moscow-based antivirus firm Kaspersky Lab, Costin Raiu, has told news agency Reuters that Checkpoint’s research is thorough and “looks legit”.
Lockheed had detected the malware while routinely evaluating third-party software and technologies to identify vulnerabilities. In 2016 and 2017, a group called ‘Shadow Brokers’ had published the NSA’s most dangerous code on the internet. This had resulted in allowing cybercriminals and rival nations access to American-made digital break-in tools.
The research report highlights that a Windows vulnerability that was attributed to a Chinese attack group was based on a hacking tool “EpMe” created by the Equation group, a security industry name for hackers that are part of NSA.
Since the Chinese hacker group built their own hacking tool, a replica of ‘EpMe’, the researchers said this means that a Chinese-affiliated group used an Equation Group exploit possibly against American targets.