Jian: NSA tool copied and used by China's hackers

Posted on 2021-02-23 by guenni

[German]Security researchers have found evidence that a hacking tool allegedly developed by the U.S. NSA was copied by Chinese hackers and used under the name Jian long before the NSA tools were released by the Shadow Browsers group.

Advertising

Review of the Shadow Brokers leak

In January 2017, I wrote in my German blog post Tschüssikowski: Shadow Brokers stellen NSA-Tools online, hat the mysterious Shadow Brokers hacker group had announced its departure. And as a parting gift, so to speak, the group still put a collection of NSA tools online after their sale failed. Just a reminder of how time flies. In the blog post I wrote: The Shadow Broker exit message comes 8 days before the swearing in of the new US President Donald Trump.

But the whole thing had a backstory. The Shadow Brokers hacker group has been covered in several blog posts (see list of links at the end of the article). In August 2016, news went around that a hacker group called Shadow Brokers had captured a "basket of NSA tools from the NSA Equation Group". The authenticity of the tools was soon confirmed as obvious. The hackers tried to sell these tools mostly on the darknet, but were not successful.

But hackers (presumably) associated (or close) to Chinese intelligence had access to these tools already a year before the Shadow Broker hacker group published various tools from the NSA and used them in attacks. I had already addressed this in May 2019 in a German blog post with reference to a New York Time article. So much as a preface to the following news story.

Check Point confirms the China theory

Currently, the American-Israeli security firm Check Point has sent around a piece of information to the media that virtually confirms the New York Times report.

Security researchers monitor APT groups

Security researchers at Check Point® Software Technologies Ltd. consistently keep an eye on Advanced Persistent Threats (APT). During their observations, the experts noticed that a Chinese hacking group had managed to copy a U.S. cyber weapon capable of carrying out zero-day attacks. The new form of the threat is called Jian (Jiann), named after a Chinese sword with a double blade.

Advertising

Jian Malware
Jian Malware, Source: Check Point

EpMe already discovered in 2017

The malware was originally developed by the Equation Group, an APT group that experts believe works closely with the U.S. National Security Agency (NSA). The malware first appeared in 2017 under the name EpMe, discovered by the incident response team of the US defense company Lockheed Martin. EpMe was capable of carrying out zero-day elevation privilege attacks against computers running Windows XP or Windows 8 as operating systems. Microsoft addressed this circumstance with the patch CVE-2017-0005 – at that time, however, it was still assumed that the origin of EpMe was the Chinese hacker group APT31.

However, the new results of Check Point Research's research show that APT31 had merely copied the Equation Group's weapon and directed it against the United States. Hence the name Jian – the double-bladed sword.

Jian's capabilities

Yaniv Balmas, Head of Cyber Research, Products – R&D at Check Point, explains, "As part of an ongoing project, our malware and vulnerability researchers are constantly reviewing and analyzing zero-day Windows privilege escalation exploits to collect and extract hacker fingerprints. These fingerprints, in turn, are used to map past and future exploits and allow us to detect and even block unknown attacks from known exploit developers in a timely manner. During this particular investigation, our researchers managed to decipher the hidden story behind Jian, a zero-day exploit previously attributed to APT31. They were able to uncover that the true origin is an exploit created by Equation Group for the same vulnerability." A typical attack using Jian involves three phases:

  1. Initial compromise of a Windows target computer.
  2. Privilege escalation to the highest privileges.
  3. Full installation of malware by the attacker.

The full research findings on the cyber weapon can be found in the Check Point blog post Jian – The Chinese Double-edged Cyber Sword.  It's always interesting to see how the state sponsored hackers steal each other's tools and then use them against each other. This also shows what a double-edged sword the demand of worn-out politicians for backdoors in the encryption of various products is, to which only states have access.

Similar articles:
The Shadow Brokers: June Dump with Exploits delivered to subscribers and more …
Shadow Brokers launches 0-Day Exploit Subscriptions
NSA exploits adapted for all Windows versions
Windows XP/Server 2003: Fix for NSA ESTEEMAUDIT Exploit

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *