Chinese spyware code copied from US NSA: researchers

WASHINGTON – Chinese spies used code first developed by the U.S. National Security Agency to support their hacking operations, Israeli researchers said on Monday, another indication of how malware developed by governments can affect its creators. .

Tel Aviv-based Check Point Software Technologies issued a report stating that some characteristics of a China-linked piece of malware it calls « Jian » were so similar that they could only have been stolen from some of the intrusion tools. from the National Security Agency leaked to the Internet in 2017.

Yaniv Balmas, the head of research at Checkpoint, called Jian « a kind of knockoff, a Chinese replica. »

The finding comes as some experts argue that American spies should spend more energy fixing flaws they find in software rather than developing and deploying malicious software to exploit it.

The NSA declined to comment. The Chinese embassy in Washington did not respond to requests for comment.

A person familiar with the matter said that Lockheed Martin Corp, which is credited with identifying the vulnerability exploited by Jian in 2017, discovered it on the network of an unidentified third party.

In a statement, Lockheed said it « routinely evaluates third-party software and technologies to identify vulnerabilities. »

Countries around the world develop malware that breaks into rivals’ devices by exploiting flaws in the software that runs them. Each time spies discover a new flaw, they must decide whether to quietly exploit it or fix the problem to thwart rivals and rogues.

That dilemma caught the public’s attention between 2016 and 2017, when a mysterious group calling itself « Shadow Brokers » posted some of the most dangerous NSA code on the internet, allowing cybercriminals and rival nations to add tools for US-made digital intrusion into their own arsenals.

It is unclear how the Jian malware analyzed by Checkpoint was used. In a notice published in 2017, Microsoft Corp suggested it was linked to a Chinese entity it calls « Zirconium, » which last year was accused of targeting US organizations and individuals related to the elections, including individuals associated with the US campaign. President Joe Biden.

Checkpoint says that Jian appears to have been created in 2014, at least two years before the Shadow Brokers made their public debut. That, coupled with research published in 2019 by Broadcom Inc.-owned cybersecurity firm Symantec into a similar incident, suggests that the NSA has repeatedly lost control of its own malware over the years.

The Checkpoint investigation is thorough and « appears legitimate, » said Costin Raiu, a researcher at the Moscow-based antivirus firm Kaspersky Lab, which has helped analyze some of the NSA’s malware.

Balmas said a possible conclusion from his company’s report was that spymasters were weighing whether to keep software flaws a secret to think twice about using a vulnerability for their own purposes.

« Perhaps it is more important to fix this and save the world, » Balmas said. It could be used against you.

By Raphael Satter