The Chinese group, identified as APT31, used the so-called exploit, along with other hacking tools to stage attacks, Check Point, an IT security firm, said in a research note. Generally an APT, or Advanced Persistent Threat, is associated with nation-state cyber activity.
“Check Point Research has determined that Chinese hackers cloned and actively used the cyber offensive tool of a US-based hacking group [that] is believed to be tied to the NSA,” a Check Point spokesperson said to Fox News in a statement.
“And it not only got into [Chinese] hands, but they repurposed it and used it, likely against US targets,” the spokesperson said.
Fox News has reached out to the NSA and the Chinese Embassy for comment.
The hacking tool that the Chinese used, called Jian, was a “replica” of EpMe, which is a Windows tool used for hacking and is associated with the Equation Group, a name given to a hacker group that is part of the NSA, according to Check Point.
That group was described by cybersecurity firm Kaspersky in 2015 as “one of the most sophisticated cyberattack groups in the world.”
The replicated software was used between 2014 and 2017. The flaw, or vulnerability, wasn’t fixed until 2017, Check Point said.
Essentially, it would allow hackers to gain access to Microsoft networks at highly privileged levels, meaning they could gain deep access to networks.
The vulnerability was first caught by Lockheed Martin’s Incident Response team and then detailed by Microsoft in 2017, Check Point said.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in its Executive Summary of the flaw.
The 2017 Microsoft update addressed the vulnerability by “preventing instances of unintended user-mode privilege elevation.”
This is not the first time something like this has happened. Chinese hackers took advantage of NSA hacking tools EternalBlue and EternalRomance, as reported by cybersecurity firm Symantec in 2018.
In this case, “the consensus among our group of security researchers as well as in Symantec was that the Chinese exploit was reconstructed from captured network traffic,” Check Point said.