The N.S.A. used sophisticated malware to destroy Iran’s nuclear centrifuges — and then saw the same code proliferate around the world, doing damage to random targets, including American business giants like Chevron. Details of secret American cybersecurity programs were disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A. cyberweapons, allegedly leaked by an insider, was posted on WikiLeaks.

“We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies,” said Eric Chien, a security director at Symantec.

Now that nation-state cyberweapons have been leaked, hacked and repurposed by American adversaries, Mr. Chien added, it is high time that nation states “bake that into” their analysis of the risk of using cyberweapons — and the very real possibility they will be reassembled and shot back at the United States or its allies.

In the latest case, Symantec researchers are not certain exactly how the Chinese obtained the American-developed code. But they know that Chinese intelligence contractors used the repurposed American tools to carry out cyberintrusions in at least five countries or territories: Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. The targets included scientific research organizations, educational institutions and the computer networks of at least one American government ally.

One attack on a major telecommunications network may have given Chinese intelligence officers access to hundreds of thousands or millions of private communications, Symantec said.

Symantec did not explicitly name China in its research. Instead, it identified the attackers as the Buckeye group, Symantec’s own term for hackers that the Department of Justice and several other cybersecurity firms have identified as a Chinese Ministry of State Security contractor operating out of Guangzhou.

Because cybersecurity companies operate globally, they often concoct their own nicknames for government intelligence agencies to avoid offending any government; Symantec and other firms refer to N.S.A. hackers as the Equation group. Buckeye is also referred to as APT3, for Advanced Persistent Threat, and other names.