An investigation into damage by Check Point has revealed a very surprising conclusion: this is a replica of a security breach in Windows that was part of the NSA’s cyber arsenal. According to the researchers, the damage, which uses the loophole, was developed by the US intelligence agency and was probably stolen or copied by a Chinese hacker group known as APT31 and whose activities are attributed to the Chinese government.
Read more in Calcalist:
The original hypothesis of the Israeli researchers was that the damage was developed by the Chinese independently. But digging into the depths of its code led to a completely different conclusion – it was a copy of software called EpMe, used by hackers from a group called Equation Group whose activities are attributed to the NSA.
This is a rather dangerous weapon as it gives very extensive access capabilities to the attackers and allows them to get very high management privileges or simply, whoever exploits the damage can steal anything on the target computer.
While this loophole was blocked by Microsoft in 2017, it did tremendous damage. The NSA’s tool designed to exploit the loophole to infiltrate victims’ computers was stolen that year by a mysterious hacker group called Shadow Brokers. These turned their weapons back towards the US after trying to extort money from the US government.
Re-engineering of Stuxnet damage
This story illustrates how cyber weapons, sophisticated as they may be, can be turned back towards their original developers. A close example to us is the re-engineering of the Stuxnet damage, which according to foreign sources was developed by the US and Israeli intelligence services to attack Iran’s nuclear facilities. This was used in the operation against the cent.RepoGut nuclear and caused great damage to Iranian infrastructure. But after a few years it was found to have been used to attack the computers of the Saudi government oil companies which had for a long time shut down its computer system.
This example is a wake-up call for the use, sometimes too free, that countries make of cyber weapons. Experts in the cyber world say that cyber weapons are intended for single use. From the moment it is used to attack enemy computers, it is actually in the hands of the attacker.
It is not uncommon to find groups of hackers using state damages (developed for strategic use by states) or for criminal activity or espionage purposes. Another example of this phenomenon is the development of NotPetya ransomware by the Russians to attack Ukraine and other countries. After using it in 2014, it leaked to North Korean hackers who used it after 3 years, causing tens of billions of dollars in damage in many countries around the world.
The conclusion of such moves is that damage is a type of disposable weapon and that there is no effective way to prevent it from leaking into the hackers of the rest of the world after being used.