A Chinese security firm released a detailed report about what it says is malware created by Equation Group, a hacking group widely believed to be the NSA
Researchers Say They’ve Spotted an NSA Hacking Tool
Security researchers from Pangu Labs say they’ve pieced together the origins of a nearly decade-old hacking tool, and that it traces back to the Equation Group, which is widely thought to be the US National Security Agency.
They say they were able to make the link thanks in part to a leak by the Shadow Brokers, a mysterious group that released a trove of apparent NSA secrets in 2016. More interesting than the tool itself, though, is the public attribution to the NSA—which, while not unprecedented, is extremely rare. Or at least, it has been.
NSA Hacking Tool
A Chinese cybersecurity company accused the NSA of being behind a hacking tool used for ten years in a report published on Wednesday.
The report from Pangu Lab delves into malware that its researchers first encountered in 2013 during an investigation into a hack against “a key domestic department.” At the time, the researchers couldn’t figure out who was behind the hack, but then, thanks to leaked NSA data about the hacking group Equation Group—widely believed to be the NSA—released by the mysterious group Shadow Brokers and by the German magazine Der Spiegel, they connected the dots and realized it was made by the NSA, according to the report.
“The Equation Group is the world’s leading cyber-attack group and is generally believed to be affiliated with the National Security Agency of the United States. Judging from the attack tools related to the organization, including Bvp47, Equation group is indeed a first-class hacking group,” the report read, referring to the name of the tool the researchers found. “The tool is well-designed, powerful, and widely adapted. Its network attack capability equipped by 0day vulnerabilities was unstoppable, and its data acquisition under covert control was with little effort. The Equation Group is in a dominant position in national-level cyberspace confrontation.”
Pangu Lab could not be reached for comment.
This is not the first time a Chinese cybersecurity company published research on an alleged American intelligence hacking operation. But it’s “pretty rare,” as Adam Segal, an expert in China’s cybersecurity at the Council on Foreign Relations, put it in an email to Motherboard.
“I don’t know who Pangu’s customers are, but it might also be something their customers want to hear right now, just like lots of Western cybersecurity companies post about Russian malware because everyone in the West wants to hear about it right now,” Martijn Grooten, a veteran of the cybersecurity industry, told Motherboard in an online chat. “It also sounds like something the NSA would have the capabilities of doing. And something China would love to make public, especially now.”
This report may be a sign that Chinese cybersecurity companies are starting to follow the example of their Western counterparts and do more attribution. It could be “a shifting strategy to become more name and shame as the US government has employed,” Robert Lee, a former NSA analyst and founder of cybersecurity company Dragos, told Motherboard in an online chat.
For Richard Bejtlich, another veteran of the cybersecurity industry and author in residence at security firm Corelight, it’s a good thing that Chinese companies, and presumably China’s government, are improving their attribution capabilities, as “it will increase overall geopolitical stability,” as he tweeted.
“It is an inherently unstable situation to have parties lacking visibility into adversary activity. It breeds paranoia and in many cases an incentive to strike first. When you have insights into your adversary you can make more informed decisions,” Bejtlich told Motherboard in an online chat. “ When you lack them you are constantly worrying about being attacked, or already attacked, etc., and you can’t be sure who is responsible. It’s a classic intelligence situation. That’s why spies on both sides are counterintuitively important.”
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.