Tuesday, May 7, 2019

How Chinese Spies Got the N.S.A.’s Hacking Tools, and Used Them for Attacks

Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.

Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.

The Chinese action shows how proliferating cyberconflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries’ infrastructure.

The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world’s most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key.

The Chinese hacking group that co-opted the N.S.A.’s tools is considered by the agency’s analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo reviewed by The New York Times. The group is responsible for numerous attacks on some of the most sensitive defense targets inside the United States, including space, satellite and nuclear propulsion technology makers.

Now, Symantec’s discovery, unveiled on Monday, suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.

Some of the same N.S.A. hacking tools acquired by the Chinese were later dumped on the internet by a still-unidentified group that calls itself the Shadow Brokers and used by Russia and North Korea in devastating global attacks, although there appears to be no connection between China’s acquisition of the American cyberweapons and the Shadow Brokers’ later revelations.

But Symantec’s discovery provides the first evidence that Chinese state-sponsored hackers acquired some of the tools months before the Shadow Brokers first appeared on the internet in August 2016.

Repeatedly over the past decade, American intelligence agencies have had their hacking tools and details about highly classified cybersecurity programs resurface in the hands of other nations or criminal groups.

The N.S.A. used sophisticated malware to destroy Iran’s nuclear centrifuges — and then saw the same code proliferate around the world, doing damage to random targets, including American business giants like Chevron. Details of secret American cybersecurity programs were disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A. cyberweapons, allegedly leaked by an insider, was posted on WikiLeaks.

“We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies,” said Eric Chien, a security director at Symantec.

Now that nation-state cyberweapons have been leaked, hacked and repurposed by American adversaries, Mr. Chien added, it is high time that nation states “bake that into” their analysis of the risk of using cyberweapons — and the very real possibility they will be reassembled and shot back at the United States or its allies. (...)

For American intelligence agencies, Symantec’s discovery presents a kind of worst-case scenario that United States officials have said they try to avoid using a White House program known as the Vulnerabilities Equities Process.

Under that process, started in the Obama administration, a White House cybersecurity coordinator and representatives from various government agencies weigh the trade-offs of keeping the American stockpile of undisclosed vulnerabilities secret. Representatives debate the stockpiling of those vulnerabilities for intelligence gathering or military use against the very real risk that they could be discovered by an adversary like the Chinese and used to hack Americans.

The Shadow Brokers’ release of the N.S.A.’s most highly coveted hacking tools in 2016 and 2017 forced the agency to turn over its arsenal of software vulnerabilities to Microsoft for patching and to shut down some of the N.S.A.’s most sensitive counterterrorism operations, two former N.S.A. employees said.

The N.S.A.’s tools were picked up by North Korean and Russian hackers and used for attacks that crippled the British health care system, shut down operations at the shipping corporation Maersk and cut short critical supplies of a vaccine manufactured by Merck. In Ukraine, the Russian attacks paralyzed critical Ukrainian services, including the airport, Postal Service, gas stations and A.T.M.s.

“None of the decisions that go into the process are risk free. That’s just not the nature of how these things work,” said Michael Daniel, the president of the Cyber Threat Alliance, who previously was cybersecurity coordinator for the Obama administration. “But this clearly reinforces the need to have a thoughtful process that involves lots of different equities and is updated frequently.”

by Nicole Perlroth, David E. Sanger and Scott Shane, NY Times | Read more:
Image: Michal Czerwonka for The New York Times