The notion of a so-called zero-day vulnerability in software is supposed to mean, by definition, that it's secret. The term refers to a hackable flaw in code that the software's maker doesn't know about but that a hacker does—in some cases offering that hacker a powerful, stealthy skeleton key into the hearts of millions of computers. But according to new findings from security firm Symantec, one extraordinarily powerful flaw in Microsoft software at one point remained "secret" to Microsoft while at least three active hacker groups knew about it. And both before and after that secret became public in early 2017, it took a long, strange trip through the hands of intelligence agencies around the world, enabling years of espionage and, eventually, mayhem.

On Monday, Symantec revealed that it had traced how a hacker group it calls Buckeye—also known as APT3 or Gothic Panda and widely believed to be a contractor of the Chinese Ministry of Security Services—used NSA hacking tools apparently intercepted from the networks of NSA targets and repurposed those tools to use against other victims, including US allies. Most notably, Symantec says, the Chinese group's hacking had planted an NSA backdoor on the network of its victims using a zero-day vulnerability in Microsoft's Server Message Block (SMB) software, also seemingly learned by studying the NSA's hacking tools.

That newly revealed hijacking of the NSA's intrusion techniques doesn't just dredge up longstanding questions about how and when the NSA should secretly exploit software vulnerabilities to use for spying rather than help software companies to fix them. It also adds another chapter to the strange story of this particular zero-day's journey: Created by the NSA, intercepted by China, later stolen and leaked by another mysterious hacker group known as the Shadow Brokers, and ultimately used by North Korea and Russia in two of the most damaging and costly cyberattacks in history.

"Based on what we know historically, it’s extremely unusual to have a zero-day be utilized like this by multiple groups, some of them unbeknownst to each other, for years," says Eric Chien, a Symantec security analyst. "I can’t think of another case where something like this has ever happened."

With the addition of Symantec's findings, here's what we now know about the timeline of that zero-day's path.

Born at the NSA

The SMB vulnerability—labelled as CVE-2017-0143 and CVE-2017-0144 in two slightly different forms—appears to have first been discovered by the NSA sometime before 2016, though the NSA has never publicly admitted to having used it; it wouldn't be tied to the agency until it leaked in 2017, revealing its integration in NSA tools called EternalBlue, EternalRomance, and EternalSynergy.

The SMB zero-day no doubt represented a kind of precious specimen for the agency's spies: Microsoft's SMB feature allows the sharing of files between PCs. But the agency's researchers found that it could be tricked into confusing harmless data with executable commands that an attacker injected via SMB into a computer's memory. That made it a rare entry point that the NSA's hackers could use to run their own code on practically any Windows machine with no interaction from the target user, and one that offered access to the computer's kernel, the deepest part of its operating system. "It’s exactly the kind of vulnerability someone would want," Chien says. "The target doesn’t have to open a document or visit a website. You have a machine on the internet, and I can get you with it. I immediately have the highest privileges available to me."