Jian, Chinese version of an NSA exploit

Jian

Many will remember the infamous WannaCry which caused massive economic damage in 2017. The ransomware exploited an exploit developed by the NSA known as EternalBlue. Check Point Research has now discovered that another US agency exploit was used by a Chinese group over two years before members of The Shadow Brokers released the NSA's digital arsenal.

Jian : Chinese version of EpMe

The Shadow Brokers is the group of hackers who made public the tools used by the TAO unit (Tailored Access Operations, also known as Equation Group) of the NSA to access computer systems, exploiting zero vulnerabilities -day of Windows and other software.

The disclosure of "cyber weapons" happened in 2017, but Check Point Research found that a Chinese hacker group (known as APT31 or Zirconium) got their hands on EpMe, another exploit developed by Equation Group. This happened over two years before The Shadow Brokers leak. EpMe's code was used to write Jian, with which various attacks were carried out against US targets between 2015 and March 2017, when Microsoft released patches for Windows vulnerabilities.



Jian's full story can be read on the Check Point Research website. According to Californian experts, EpMe's code may have been captured during an Equation Group attack on Chinese targets, during an Equation Group attack on third-party networks monitored by APT31, or during an APT31 attack on Equation Group's infrastructure.

Check Point research highlights the dangers of these digital weapons and how their dissemination can pose a serious risk to national security.

Source: Check Point Research

---

China-linked Jian spyware was copied from NSA code, researchers

Code of China-linked Jian spyware was copied from America's NSA, researchers

Chinese intelligence services used spyware whose code was copied from tools developed by the US National Security Agency (NSA) to support their own hacking operations.

That's according to the researchers from Tel Aviv-based Check Point Software Technologies, who claim that some features in China-linked Jian malware are so similar to NSA tools that they could only have been derived from NSA's spyware tools leaked online in 2017.

In 2017, a group calling itself Shadow Brokers published a data dump called 'Lost in Translation', which included code developed by the NSA. The group had sought to sell the code to the highest bidder - but attracted no bids. It subsequently released many of the malware tools in its trove, enabling cybercriminals and US adversaries to add US-made cyber espionage tools to their own arsenals.

Based on their analysis, Check Point researchers claim that China-linked group APT31 (Zirconium) cloned NSA-linked Equation Group's cyber offensive tool code-named EpMe and used it in various cyber-espionage operations.

The tools were used to exploit a then unknown Windows vulnerability now tracked as CVE-2017-0005, which enabled attackers to elevate their privileges on infected systems.

The Check Point report says that APT31 likely cloned the American version of the tool in 2014 to create Jian, about two years before the Shadow Brokers first published the NSA tools on the web.

Jian spyware was used by APT31 for about two years, until it was detected by Lockheed Martin's Computer Incident Response Team, which reported it to Microsoft, suggesting a possible cyber attack against an American target.

Microsoft eventually patched CVE-2017-0005 vulnerability in March 2017.

According to Check Point, Chinese spies could have acquired the EpMe samples during an Equation Group's cyber operation targeting a Chinese target or during an operation against a third-party network that was monitored by the Chinese APT.

It is also a possibility that Chinese APT captured EpMe samples during an attack on Equation Group infrastructure.

Yaniv Balmas, Checkpoint's head of research, says that a possible takeaway for spymasters from this 'double-edged cyber sword' story is that they should think twice before keeping software vulnerabilities secret.

'Maybe it's more important to patch this thing and save the world,' Balmas said.

'It might be used against you,' he added.