Chinese spies used the code that was first developed by the United States (US) National Security Agency (NSA) to support their own hacking operations, claimed Israeli researchers on February 22. Tel Aviv-based Check Point Software Technologies issued a report Monday noting that some features in a piece of China-linked malware dubbed as ‘Jian’ had such similarities that could have only been stolen from NSA’s break-in tools leaked to the internet back in 2017. Checkpoint’s head of research, Yaniv Balmas reportedly called Jian “kind of a copycat, a Chinese replica” of actively used an American-affiliated attack group’s (Equation Group) cyber offensive tool code named “EpMe”.

The claims by Israeli researchers came as some experts reportedly argued that American spies should invest more resources in fixing the flaws in the software instead of developing and deploying malicious software to further exploit it. Both, the Chinese-affiliated attack group APT31 and the US-affiliated EpMe exploit a then-unknown Windows vulnerability (CVE-2017-0005). Checkpoint said that it was for “elevating the privileges of the attacker on the infected machine.”

US version was cloned by APT31 during 2014

Israeli researchers also took note that the US version of the same tool was cloned by APT31 during 2014 to form ‘Jian’. Further, the Chinese cloned version was used since 2015 until it was finally caught and patched in March 2017. Checkpoint in its report also said that ‘Jian’ was reported to Microsoft by Lockheed Martin’s Computer Incident Response Team which was hitting at a potential attack against a US target.

The report stated, “Our research shows that CVE-2017-0005, a Windows LPE vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT had access to. “EpMe”, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework.”

However, cautioning against the repercussions of transferring or ‘stealing’ the cyberweapons, researchers Eyal Itkin and Itay Cohen in their research blog explained, “Stealing them and transferring from one continent to another, can be as simple as sending an email. They are also very obscure, and their mere existence is a closely guarded secret. That is exactly why, as opposed to a nuclear submarine, stealing a cyber-weapon can easily go under the radar and become a fact known only to a selected few.”

