Chinese spyware code was copied from America's NSA: researchers
Send a link to a friend
 [February 22, 2021] By
Raphael Satter
WASHINGTON (Reuters) - Chinese spies used
code first developed by the U.S. National Security Agency to support
their hacking operations, Israeli researchers said on Monday, another
indication of how malicious software developed by governments can
boomerang against their creators.
Tel Aviv-based Check Point Software Technologies issued a report noting
that some features in a piece of China-linked malware it dubs "Jian"
were so similar they could only have been stolen from some of the
National Security Agency break-in tools leaked to the internet in 2017.
Yaniv Balmas, Checkpoint's head of research, called Jian "kind of a
copycat, a Chinese replica."
The find comes as some experts argue that American spies should devote
more energy to fixing the flaws they find in software instead of
developing and deploying malicious software to exploit it.
The NSA declined comment. The Chinese Embassy in Washington did not
respond to requests for comment.
A person familiar with the matter said Lockheed Martin Corp – which is
credited as having identified the vulnerability exploited by Jian in
2017 – discovered it on the network of an unidentified third party.
In a statement, Lockheed said it "routinely evaluates third-party
software and technologies to identify vulnerabilities."
Countries around the world develop malware that breaks into their
rivals' devices by taking advantage of flaws in the software that runs
them. Every time spies discover a new flaw they must decide whether to
quietly exploit it or fix the issue to thwart rivals and rogues.
[to top of second column] |
A map of China is seen through a magnifying glass on a computer
screen showing binary digits in Singapore in this January 2, 2014
photo illustration. Picture taken January 2, 2014. REUTERS/Edgar Su
That dilemma came to public attention between 2016 and 2017, when a mysterious
group calling itself the "Shadow Brokers" published some of the NSA's most
dangerous code to the internet, allowing cybercriminals and rival nations to add
American-made digital break-in tools to their own arsenals.
How the Jian malware analyzed by Checkpoint was used is not clear. In an
advisory published in 2017, Microsoft Corp suggested it was linked to a Chinese
entity it dubs "Zirconium," which last year was accused of targeting U.S.
election-related organizations and individuals, including people associated with
President Joe Biden's campaign.
Checkpoint says Jian appears to have been crafted in 2014, at least two years
before the Shadow Brokers made their public debut. That, in conjunction with
research published in 2019 by Broadcom Inc-owned cybersecurity firm Symantec
about a similar incident, suggests the NSA has repeatedly lost control of its
own malware over the years.
Checkpoint's research is thorough and "looks legit," said Costin Raiu, a
researcher with Moscow-based antivirus firm Kaspersky Lab, which has helped
dissect some of the NSA's malware.
Balmas said a possible takeaway from his company's report was for spymasters
weighing whether to keep software flaws secret to think twice about using a
vulnerability for their own ends.
"Maybe it's more important to patch this thing and save the world," Balmas said.
"It might be used against you."
(Reporting by Raphael Satter; Editing by Lisa Shumaker)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
