When it was alleged earlier this year that secretive Chinese hacking group APT3 had used vicious NSA cyber weapons to attack U.S. allies in 2016 and 2017, there was embarrassment, surprise and consternation in equal measures. The same tools had been leaked online in 2017 by the clandestine Shadow Brokers—but, according to Symantec, APT3 had been using the NSA tools beforehand. And that left a major question unanswered—how had the Chinese stolen such dangerous cyber weapons?
Get started on your Homeland Security degree at American Military University.
Now, a report published on Thursday [September 5] by rival cyber powerhouse Check Point sets out to resolve the mystery. And their answer is potentially just as damaging—because Check Point’s research team believes the Chinese set deliberate traps to capture American cyber weapons, they were not discovered and seized by accident.
“The Chinese want the same capabilities as the U.S.,” Check Point researcher Mark Lechtik explains to me, “to infiltrate victim machines through exploitation—but they want to be equal not by investing, but by cheating.”
The backdrop to these latest findings is the emergence of more complex cyberwarfare than we have seen before. This is a multifaceted conflict, taking in tensions in the Gulf, the arms race between the U.S., China and Russia, nation-state cyber terrorism—where sponsored threat actors attack critical infrastructure or commercial targets, and nation state cyber theft, where attacks have a commercial motive, as seen with allegations that North Korea funded weapons programs in this way.
At the heart of much of this activity is the increasing threat from proxy actors, state-sponsored hacking groups given operational flexibility in exchange for some plausible deniability. Analysis in this space inevitably relies on assumptions and speculation—it is quite different from the activities directly attributable to state agencies themselves.
“It’s not always clear how threat actors achieve their exploitation tools,” Check Point explains, and while it’s usually assumed that such groups “conduct their own R&D or get tools from a third parties,” in the case of this particular Chinese group “we have evidence to show that a third scenario took place—one where attack artefacts of a rival were used as the basis and inspiration for establishing in-house offensive capabilities.”
The exploit tools in question were reportedly developed by the Equation Group—an offensive cyberwarfare unit affiliated with the NSA. The leaking by the Shadow Brokers of such material had serious reputational consequences—the New York Times claimed it “shook NSA to its core,” made far worse when the tools were seen in the hands of foreign threat actors. Russian and North Korean groups conducted offensive campaigns leveraging the U.S. tech, as did APT3—a hacking team affiliated with China’s Ministry of State Security. APT3, though, used the tools before the leaks.
The story of APT3, its deployment of NSA tools and the unexplained timing of those deployments was first disclosed by Symantec in a report published in May. According to Symantec, APT3 was using Equation Group tools “to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak,” with variants of those tools “appearing to be different from those released by Shadow Brokers, potentially indicating that they didn’t originate from that leak.”
How APT3 “obtained Equation Group tools at least a year prior to the Shadow Brokers leak,” Symantec acknowledged, “remains unknown.”
And so Check Point has delved further into this unexplained timing. “What Symantec could not elaborate on, or refrained from elaborating on,” Lechtik explains to me, “is the detail as to how the Chinese built a similar tool before the NSA one leaked. What we’re trying to do is give our perspective as to how that was done, through technical analysis of the Chinese attack tool.”
Check Point believes that the Equation Group tool captured and adapted by APT3 was EternalRomance, part of the same exploit set that included EternalBlue—used to devastating effect in the 2017 WannaCry and NotPetya attacks. The adapted EternalRomance tool in APT3′s hands was dubbed Bemstour and was designed to shape RCE kernel attacks on targeted computers.
In its report, Symantec posed “multiple possibilities” as to how APT3 obtained the underlying NSA tool before the Shadow Brokers leak. But, “based on the timing of the attacks and clues in the computer code,” the New York Times concluded that the most likely possibility is that “the Chinese captured it from an NSA attack on their own computers—like a gunslinger who grabs an enemy’s rifle.”
Check Point claims to have provided the evidence to substantiate Symantec’s speculation that the exploit may have been lifted from an attacked machine. But there’s a twist—was this good fortune or good tradecraft? Finding a machine that had been attacked with retrievable traces of code is one thing. Setting up a machine as a trap, leaving it in the wild and watching and waiting for an attack is quite another. And this is the implication of what’s being reported here.
“What we were able to confirm,” Lechtik now tells me, “is that the Chinese obtained some artefact, not the exact attack tool, that enabled them to recreate their own version of the American attack tool—the American exploit.” According to Lechtik, APT3 “monitored machines inside China to find an American attack, reverse engineering it and using their insights to recreate their own version.”
So what you think has happened, I say to Lechtik, is that China baited the NSA, put machines out on the network, waited for an attack, pulled what they could from it?
“Yes,” he tells me, “it’s speculation, of course, but yes.”
Examining the APT3 code, Check Point found “packets were assigned with hardcoded and seemingly arbitrary data,” and assumed “the developers were trying to recreate the exploit based on previously recorded traffic.” And if that means captured network traffic helped adapt the exploit, “it was likely collected from a machine controlled by APT3—most likely targeted by the NSA and monitored by the group.”
Lechtik and his Check Point team believe this is “an indicator of a general practice that is going on between China and the U.S.” What they mean is that the U.S. and China are in a cyberwarfare arms race—the U.S. is spending more, pushing China into seeking alternative means to keep pace. “China wanted to reach the same level as the U.S., and building a backdoor was the way to do that—to leverage U.S. resources.”
“Repeatedly over the past decade,” the Times pointed out in May, “U.S. intelligence agencies have had hacking tools and details about highly classified cybersecurity programs resurface in the hands of other nations or criminal groups—the episode is the latest evidence the U.S. has lost control of key parts of its cybersecurity arsenal.”
The idea of stealing enemy exploits in this way “has been discussed,” Lechtik tells me, “to collect attack tools of foreign actors, to use those as decoys, to obscure—but we actually haven’t seen evidence in the wild other than this.” And for Lechtik, the idea of a decoy, a so-called false flag attack is secondary. “The primary objective,” he says, “is to get the same powers as the NSA in terms of cyberwarfare.”
Interestingly, although APT3 had built its reputation attacking U.S. targets, the group was not seen using the stolen attack tools on the U.S. itself, but on other targets in other countries. “The U.S. is the inspiration, not the target,” Lechtik says to me, “attacking the U.S. with its own tools that were stolen would only deepen the conflict [between the two countries].” You can see the logic here. Using the attack tools in from of its creator would have been extremely high-risk.
Symantec pointed out the presence of an additional, previously unknown Windows exploit in APT3′s attack methodology. A vulnerability reported to Microsoft in September 2018 and patched in March 2019. This followed the NSA pattern—as operating systems patched vulnerabilities, the Shadow Brokers leak suggested the combination of multiple exploits to target updated systems.
It appears that APT3 replicated this approach, but not with the additional NSA exploit, as they likely did not have access to it. “In this sense,” Check Point explains, “APT3 crafted its own exploit from other exploits—a tactic very similar to one used by the Equation group. As this threat group also uses the name UPS team, we decided to name their version of the exploit bundle UPSynergy.”
Beyond the alleged theft of a U.S. exploit, there are other interesting concepts of operation in the activities of APT3. The tools required access to a known domain, and so likely combined with separate phishing-style credential thefts that targeted specific organizations or used data stolen in broader attacks to gain access.
APT3 is viewed as one of the most dangerous threat groups to have operated in the shadows of Chinese state agencies in recent years. Symantec identified attacks in Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong, all of which leveraged the U.S. exploit. U.S. allies targeted by the Chinese using U.S. code.
“The losses have touched off a debate within the intelligence community,” the Times reported, “over whether the U.S. should continue to develop some of the world’s most high-tech, stealthy cyber weapons if it is unable to keep them under lock and key.”
In the cat and mouse game of cyberwarfare there are few surprises in the tactics being alleged of the Chinese and its threat groups. Put simply, why wouldn’t they bait traps to capture U.S. code whether to mount attacks or bolster defences. What’s interesting, as always in nation state cyber, is the unmasking of activities that for the most part remain firmly hidden from view.
More broadly, for the U.S., the implications of China trapping its attacks and repurposing its expensive code has seriously difficult optics. And while APT3 seemed to drop from the radar in 2017, Symantec reported that the stolen and adapted tools were still doing the rounds until late last year. And, as ever with cyber, this is just the ones we know about. Once genies leave bottles in this world, they rarely return.