Back in April 2017, when the Shadow Brokers hacker group released National Security Agency (NSA) cyber weapons into the wild, almost everyone in the cyber security community thought that this was the first such occurrence of rival hackers getting their hands on NSA hacking tools. But now it turns out that a particularly dangerous group of Chinese spies known as the Buckeye group (and also as APT3, Gothic Panda, TG-011, and UPS) may have been using some NSA cyber weapons as early as March 2016. If the new Symantec report is correct, it would be yet another embarrassing lapse for the NSA, which has come under fire for letting their powerful hacking tools fall into the wrong hands.

Are the Chinese hackers really Chinese spies?

As Symantec reported, the Buckeye group, which is known to have strong ties with the Chinese Ministry of State Security (and maybe perhaps even be a front organization for them), started using a unique version of the DoublePulsar backdoor exploit as early as March 2016. This backdoor exploit is one of the Equation Group tools leaked in April 2017. The Symantec researchers say that the 2016 version used by the Chinese state sponsored hackers is slightly different from the 2017 version leaked by the Shadow Brokers, implying that it had a different origin.

What has not been explained, however, is how the Chinese hackers got their hands on the NSA hacking tools before the Shadow Brokers leaked them to the public. One suggestion is that the hacking tools used by the Chinese spies were simply an “artifact” left behind by NSA hackers. The Chinese spies simply happened to discover the tools, and then reverse-engineered them to their own unique specifications. As one cyber security researcher explained, it would be as if the Chinese spies got their hands on an enemy soldier’s rifle, and then simply tried to use it as they did their own rifles.

That would help to explain why the tool was not used as widely as one might have thought: the Chinese spies simply did not understand the full power and potential of these tools. Instead of conducting cyber-espionage attacks against sensitive U.S. military and technology targets (including space, satellite and nuclear targets), the Buckeye group seemed content to target educational institutions in places like Hong Kong. The Symantec research team found that the Chinese version of the DoublePulsar exploit was also used in attacks in Belgium, Luxembourg, Vietnam and the Philippines, all before the Shadow Brokers made the tools widely available.

The Shadow Brokers unleash new cyber weapons

For now, nobody is suggesting that the Chinese hacking group broke into NSA headquarters and got their hands on the sophisticated hacking tools later leaked by the Shadow Brokers. However, people are questioning why NSA cyber weapons are starting to show up in the wrong hands. When the Shadow Brokers unleashed their trove of cyber hacking tools in April 2017, they were promptly adopted by North Korean hackers and members of the Russian intelligence services. And rogue hackers used tools like Eternal Romance, Eternal Synergy and DoublePulsar to create very powerful malware and worms, including most notably, WannaCry and NotPetya.

The Wild, Wild West for offensive cyber weapons

One thing is certain: the current cyber threat environment is much more dangerous now than anyone might have expected. In many ways, unleashing stockpiles of dangerous cyber weapons into the wild would be much like letting a stockpile of nuclear or chemical weapons fall into the wrong hands. The NSA has been operating with an unofficial NOBUS (“Nobody But Us”) approach to offensive cyber weapons, but now it looks like the days of NOBUS are over. One example here is the StuxNet virus, which was used to take down Iranian nuclear reactors. That virus, linked back to the U.S. security services, is now thought to be in the arsenal of state-sponsored hacking groups.

Based on the latest findings from Symantec, it’s clear the Chinese Ministry of State Security is going to be playing a much bigger role, regardless of U.S. efforts to keep NSA-linked offensive cyber weapons away from them. If the Buckeye group got their hands on the NSA’s Equation Group tools, then it’s clear that other Chinese spies might have access to them. At the end of 2017, the U.S. Justice Department charged three Chinese hackers with illegal hacking, and the thought was that the Buckeye Group was somehow being disbanded or broken up. But now, the rumor in the cyber security community is that an even more insidious group of Chinese spies (APT11, for “Advanced Persistent Threat No. 11”) may be at work. Not only do they have access to tools left behind by the Buckeye Group, but also they have access to all the tools exposed by the Shadow Brokers. In short, Chinese state-sponsored hackers might be just as dangerous as their NSA rivals in the United States.

What is the best response to state-sponsored hackers?

One difficult question to answer is just what sort of response governments can take if they believe that their computer systems have been compromised by a state-sponsored hacking group. For example, Buckeye was linked to a cyber security firm, Boyusec, known to be an extension of the Chinese security services. But does that mean that an attack by Buckeye is, by extension, an attack by the Chinese state? Where does the line begin and end?

Currently, for example, the U.S. government is mired in a major cyber dispute with Chinese tech giant Huawei. The U.S. government says that Huawei has been conducting cyber espionage on behalf of the Chinese government, and has banned the company from engaging in any government contracts with the United States. But Huawei says it is just a corporation, that it has done nothing wrong, and is not acting on behalf of the Chinese state.

Chinese Buckeye #hacker group is known to have strong ties with the Chinese Ministry of State Security, are they really Chinese spies? Click to Tweet

Yet, across North America, Europe and Asia, people are starting to question what role Chinese spies play in carrying out cyber hacks. Based on the timing of many attacks in the past, it appears as if they were being carried out in a coordinated fashion with the help of the Chinese state. And now those questions are going to be raised again, thanks to the newly-discovered appearance by Symantec of the cyber hacking tools leaked by the Shadow Brokers.