Chinese spies reportedly repurposed NSA tools used to hack their computers (updated)

Evidence suggests that the Buckeye group reverse-engineered hacking tools after an attack.

A group called Shadow Brokers leaked sets of hacking tools back in 2017 that led to massive security breaches around the world, including the infamous WannaCry ransomware attacks. While the group maintained that it stole the tools from the US National Security Agency (NSA), it was a mystery how it got its hands on them. Now, a Symantec report has revealed that prior to the Shadow Brokers leak, NSA tools were captured by the Buckeye, a hacking group that the US government has linked to Chinese intelligence agents. As to how Buckeye got its hands on those tools? It seems they reverse-engineered them after the NSA first used them to attack their computers.

Symantec has found that the Buckeye group -- a group that the Department of Justice believes is a Guangzhou-based contractor for the Chinese Ministry of State Security -- had been using a few stolen NSA tools at least a year before the Shadow Brokers leak. The software security firm believes that Buckeye may have captured the tools during an NSA attack and then tweaked them to make their own version.

According to a memo The New York Times reviewed, the NSA considers Buckeye to be one of the most dangerous Chinese contractors. Buckeye was reportedly responsible for attacking American space, satellite and nuclear propulsion technology makers. Symantec says it eventually used the tools it captured and repurposed to stage cyberattacks on research organizations, educational institutions and other organizations in Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. Once such attack on a major telecommunications network may have opened access to millions of private communication logs.

Eric Chien, a security director at Symantec, told the NYT that it's high time those running offensive cyber security operations to seriously consider the possibility that enemies can capture and repurpose their cyber-attack tools. More importantly, those enemies could use those tools -- including ones paid for by American taxpayers -- to attack US networks and infrastructure. He said:

"This is the first time we've seen a case -- that people have long referenced in theory -- of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack other."

That said, Symantec didn't find evidence that Buckeye used NSA's tools against the US. The firm believes it could be because the group thought the NSA developed defenses against its own weapons. It's not entirely clear if that's true, but if it's not, then the agency should seriously consider doing just that.

Update, 5/8/19 5:15PM ET: This story has been updated to remove a reference that conflated the tools used in the WannaCry attacks with the tools Symantec discovered in its latest research. The WannaCry tools were not part of the hacking tools linked to Buckeye. We apologize for the error. We've also added additional clarifications as to what and how the Buckeye group may have captured tools that may have originated from the NSA.