A group called Shadow Brokers leaked sets of hacking tools back in 2017 that led to massive security breaches around the world, including the infamous WannaCry ransomware attacks. While the group maintained that it stole the tools from the US National Security Agency (NSA), it was a mystery how it got its hands on them. Now, a Symantec report has revealed that the source might have been Chinese intelligence agents who captured the tools while the NSA was attacking their computers.
Symantec has found that the Buckeye group -- its codename for a Guangzhou-based contractor for the Chinese Ministry of State Security -- has been using the stolen NSA tools at least a year before the Shadow Brokers leak. The software security firm believes that Buckeye captured the tools during an NSA attack and then tweaked them to make their own version.
It would've been easy for the group to do that: according to a memo The New York Times reviewed, the NSA considers it to be one of the most dangerous Chinese contractors. Buckeye was reportedly responsible for attacking American space, satellite and nuclear propulsion technology makers. Symantec says it eventually used the tools it captured and repurposed to stage cyberattacks on research organizations, educational institutions and other infrastructure in Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. In at least one instance, it was able to access millions of private communication logs from a major telecommunications network.
If it was truly the source of the Shadow Brokers leak, then Buckeye was also indirectly responsible for attacks carried out by the North Korean and Russian hackers that used the repurposed tools. Their WannaCry ransomware attacks crippled the UK's National Health Service and affected vaccine supplies. Russian hackers also incapacitated critical Ukrainian services, including its postal system, airports and ATMs.
Eric Chien, a security director at Symantec, told the NYT that it's high time for American intelligence to seriously consider the possibility that enemies can capture and repurpose US-developed tools when they stage cyberattacks. More importantly, those enemies can use those tools -- paid for by American taxpayers -- to attack US networks and infrastructure. He said:
"This is the first time we've seen a case -- that people have long referenced in theory -- of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack other."
That said, Symantec didn't find evidence that Buckeye used NSA's tools against the US. The firm believes it could be because the group thought the NSA developed defenses against its own weapons. It's not entirely clear if that's true, but if it's not, then the agency should seriously consider doing just that.
0 Comments