Chinese spies used code first developed by the U.S. National Security Agency to aid their hacking operations, Israeli researchers said Monday, another clue as to how malicious software developed by governments is boomeranging against its creators can trigger.
Tel Aviv-based Check Point Software Technologies released a report that found that some functions of a China-related malware known as “Jian” were so similar that they only stole some of the National Security Agency’s intrusion tools could be passed on to the internet in 2017.
Yaniv Balmas, the head of research at Checkpoint, called Jian “a kind of copycat, a Chinese replica”.
The find comes as some experts argue that American spies should spend more energy fixing the bugs they find in the software rather than developing and using malicious software to exploit it.
The NSA declined to comment. The Chinese Embassy in Washington did not respond to requests for comment.
A person familiar with the matter said Lockheed Martin Corp – alleged to have identified the vulnerability Jian exploited in 2017 – found it on an unidentified third party network.
In a statement, Lockheed said it “routinely evaluates third-party software and technology to identify vulnerabilities”.
Countries around the world are developing malware that infiltrates their competitors’ devices by exploiting flaws in the software that runs them. Whenever spies discover a new flaw, they must decide whether to silently exploit it or to fix the problem to thwart rivals and villains.
This dilemma became public knowledge between 2016 and 2017 when a mysterious group called “Shadow Brokers” posted some of the NSA’s most dangerous codes on the internet, allowing cybercriminals and rival nations to add American-made digital burglary tools to their own arsenals.
How the Jian malware that Checkpoint analyzed was used is not clear. In an advisory report published in 2017, Microsoft Corp suggested that it is affiliated with a Chinese company that calls it “zirconium.” Last year, it was accused of targeting U.S. electoral organizations and individuals, including those linked to President Joe Biden’s campaign.
According to Checkpoint, Jian was apparently made in 2014, at least two years before the Shadow Brokers made their public debut. This suggests that the NSA has repeatedly lost control of its own malware over the years in connection with Broadcom Inc.’s 2019 study by cybersecurity firm Symantec of a similar incident.
Checkpoint’s research is thorough and “looks real,” said Costin Raiu, a researcher at Moscow-based antivirus company Kaspersky Lab, which helped analyze some of the NSA’s malware.
Balmas said one possible lesson from his company’s report is that spy masters are weighing whether to keep software bugs a secret, only to think twice about exploiting a vulnerability for their own purposes.
“Maybe it’s more important to fix this thing and save the world,” Balmas said. “It could be used against you.”