China-linked Jian spyware was copied from NSA code, researchers

The APT31 group cloned a cyber-offensive tool developed by the NSA to create Jian, which was then used against a US target

Chinese intelligence services used spyware whose code was copied from tools developed by the US National Security Agency (NSA) to support their own hacking operations.

That ' s according to the researchers from Tel Aviv-based Check Point Software Technologies, who claim that some features in China-linked Jian malware are so similar to NSA tools that they could only have been derived from NSA ' s spyware tools leaked online in 2017.

In 2017, a group calling itself Shadow Brokers published a data dump called 'Lost in Translation', which included code developed by the NSA. The group had sought to sell the code to the highest bidder - but attracted no bids. It subsequently released many of the malware tools in its trove, enabling cybercriminals and US adversaries to add US-made cyber espionage tools to their own arsenals.

Based on their analysis, Check Point researchers claim that China-linked group APT31 (Zirconium) cloned NSA-linked Equation Group ' s cyber offensive tool code-named EpMe and used it in various cyber-espionage operations.

The tools were used to exploit a then unknown Windows vulnerability now tracked as CVE-2017-0005, which enabled attackers to elevate their privileges on infected systems.

The Check Point report says that APT31 likely cloned the American version of the tool in 2014 to create Jian, about two years before the Shadow Brokers first published the NSA tools on the web.

Jian spyware was used by APT31 for about two years, until it was detected by Lockheed Martin ' s Computer Incident Response Team, which reported it to Microsoft, suggesting a possible cyber attack against an American target.

Microsoft eventually patched CVE-2017-0005 vulnerability in March 2017.

According to Check Point, Chinese spies could have acquired the EpMe samples during an Equation Group ' s cyber operation targeting a Chinese target or during an operation against a third-party network that was monitored by the Chinese APT.

It is also a possibility that Chinese APT captured EpMe samples during an attack on Equation Group infrastructure.

Yaniv Balmas, Checkpoint ' s head of research, says that a possible takeaway for spymasters from this ' double-edged cyber sword ' story is that they should think twice before keeping software vulnerabilities secret.

"Maybe it ' s more important to patch this thing and save the world," Balmas said.

"It might be used against you," he added.