Written by Shannon Vavra

A Chinese hacking group that has been using tools linked with the National Security Agency might have obtained at least one without breaching NSA systems, according to researchers at cybersecurity company Check Point.

The Chinese hacking group APT3, which somehow had in its possession an NSA-linked tool in advance of public leaks in 2016 and 2017, appears to have acquired it by analyzing network traffic on a system that was potentially targeted by the NSA, Check Point says. The theory is that after observing the exploit in the wild, APT3 incorporated it into its own arsenal of attacks with some tweaks, the researchers say.

“Check Point learned that the Chinese group was monitoring in-house machines that were compromised by the NSA, capturing the traffic of the attack and was leveraging it to reverse engineer the software vulnerabilities,” the researchers write.

Check Point acknowledges that it “can’t prove this beyond any doubt.” The company says it does not know for sure that network traffic was used as a reference to build a Chinese exploit based on the NSA-linked tool, but it points to clues in the Windows Server Message Block (SMB) packets in the APT3 version of the tool. Windows SMB is a communication protocol that PCs use for file sharing or remote services, making it an attractive target for hackers.

The Chinese possession of NSA-linked tools in advance of the 2016 and 2017 leaks — for which a mysterious group known as the Shadow Brokers takes the credit — was originally reported by Symantec. But it remained unclear how the Chinese had come into possession of the exploits.

Check Point says it is possible that the Chinese group’s own machines were targeted with the exploit in question, and that is how the hackers observed it and repurposed it. It is also possible that a machine that the Chinese had compromised and were monitoring was simultaneously targeted by the NSA, the researchers say. Another possibility is that the Chinese set up a machine on purpose to watch for NSA-linked attacks to then borrow from the U.S. government’s technical prowess, the report says.

The company’s research also does not completely rule out some other indirect access to NSA materials — a possibility that a previous Symantec report acknowledged as well. The NSA also shares tools with allies, and APT3 could have noticed the exploit because one of them targeted its machines. It is also possible another sophisticated group independently found the same vulnerability and created the same exploit, which the Chinese then repurposed.

U.S. military commanders acknowledge that anytime U.S. teams deploy an exploit, it could end up in the hands of adversaries.

U.S. Cyber Command’s director of capabilities and resource integration, Maj. Gen. Karl Gingrich, said earlier this year to reporters during a briefing in Fort Meade, Maryland, that protecting tools from theft is a “priority … but at the end of the day once you have used the tool, it’s out there.” David Luber, the executive director of U.S. Cyber Command, told reporters at the time “there’s always a risk calculus in any sort of operation that we take on in Cyber Command.”

What Check Point saw

Check Point, a multinational that has headquarters in the U.S. and Israel, analyzed the tool’s SMB packets and compared those to the version leaked later.

“The underlying SMB packets used throughout the tool execution were crafted manually by the developers, rather than generated using a third party library,” the researchers note. “As a lot of these packets were assigned with hardcoded and seemingly arbitrary data, as well as the existence of other unique hardcoded SMB artifacts, we can assume that the developers were trying to recreate the exploit based on previously recorded traffic.”

APT3 then appears to have taken the tool it saw, which appeared to be the NSA-linked tool EternalRomance, an exploit that targets older versions of Windows, and developed it further to allow it to target more systems with remote code execution.

The tool APT3 developed, which Check Point calls UPSynergy, appears to capitalized on the same vulnerability EternalRomance exploited, CVE-2017-0145. SMB vulnerabilities are part of EternalRomance’s exploit. The Chinese then combined it with an “information leak” zero-day exploit to target newer operating systems, Check Point reports.

The combination of exploits shows the Chinese borrowing a page from the NSA’s playbook, according to Check Point; one of the NSA-linked tools leaked by the Shadow Brokers, EternalSynergy, is a combination of two exploits, as well.

Both Eternal Romance and UPSynergy, used an NSA-linked backdoor implant known as DoublePulsar that was also leaked by the Shadow Brokers.

“Attack artifacts of a rival, were used as the basis and inspiration for establishing in-house offensive capabilities by APT3,” Check Point researchers write.