The US Can't Stop China Copying Its Cyber Weapons

China is copying malware the NSA has used against them. Is this preventable or is it an inherent weakness of cyber warfare?

It is nothing new for adversaries to copy and steal each other’s weapons but recent revelations from Symantec and The New York Times suggest this problem is much bigger with cyber weapons. This is because in order to attack an enemy’s computer, the enemy have to copy their code onto it. It’s like bombing an enemy with munitions that scatter their own blueprints around the blast site.

US hacking tools have gone astray before, most notoriously when a mysterious group called Shadow Brokers repeatedly released National Security Agency code for hackers around the globe to use in attacks like WannaCry. Now cybersecurity analysts at Symantec have found evidence that hackers working for China’s Ministry of State Security were using NSA-built cyber weapons “at least a year prior to the Shadow Brokers leak.”

To avoid offending nation-states, the Symantec report only IDs the Chinese as “Buckeye” and NSA as “Equation Group”.

Symantec’s suggested explanation: “one possibility is that Buckeye may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack.”

“This is a significant revelation,” one retired naval officer told us. “With Shadow Brokers, the assumption was that it was a group with significant insider knowledge …. who had somehow pilfered the software and released it. If correct, this would suggests that: 

  • the issue of loss of control of sensitive malware has gone on longer than understood.
  • if Symantec is correct that China likely captured the software while it was being used by NSA, [then] using cyber to collect intelligence is far riskier than generally acknowledged.

“The new element in the story is that an organisation has reverse-engineered a deployed US cyber tool and reused it; previous cases involved the theft or loss of a tool,” agreed Bryan Clark of the Center for Strategic & Budgetary Assessments.

“This would be similar to the Chinese finding a Tomahawk missile that had failed to detonate and using it to build their own.”

The difference, Clark continued, is that physical bombs and missiles automatically destroy themselves in the course of an attack, unless they’re duds. Cyber weapons don’t. 

During war games, the cyber teams often assume that a weapon will only be used once, for precisely this reason. “The solution is to make cyber weapons tamper resistant,” he said, “which means their code cannot be determined without proper encryption, or the code rewrites itself after use, ‘duding’ the weapon.” But even self-destructing code doesn’t guarantee a target of our cyber weapons can’t copy them, Clark warned: “They will still run the risk of being detected and characterised by a defensive system before the tamper resistant features activate.”

Clever techniques, like malware that encrypts and/or deletes itself, can reduce the risk that the target can copy weapons used against it. But part of the problem is inherent to the nature of cyber warfare, which may require the US to think very differently about this new form of conflict.

In his book Guns, Germs, & Steel, Jared Diamond traces how concepts like written language spread around the globe through a combination of direct “blueprint copying”, the way the Romans adopted the Greek alphabet, with minor changes, to write their own, very different language, and indirect “idea diffusion”, as when Cherokee picked up the concept of written language from European settlers, along with the shapes of some letters, but used them to represent entirely different sounds.

Copying is common in the military realm as well. The Soviet Union spied extensively on the American Manhattan project and used the stolen information to build their own atomic bomb years before the West expected it.

But to copy a cyber weapon, all you have to do is see it, because the weapon itself is made of information. China copying the code the NSA used to attack them is less like what the Soviets copying the A-bomb  and more like the Romans copying the Greek alphabet:

That makes copycat cyber weapons extremely hard to stop. Even if the code is encrypted, even if it erases itself after its attack, it has to be executed on the target’s computer in order to affect it.

BreakingDefense

You Might Also Read: 

‘Chinese Spies’ Had NSA Cyber Weapons Before The Shadow Brokers Leak:

 

 

« US Campaigners Get Trained About Cyber Threats
WannaCry Hero Deserves a Pardon, Not A Conviction »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyberis

Cyberis

Cyberis are pioneers in customer-focussed information security. Since 2011, we’ve been helping businesses protect their brands, customers and reputation.

HANDD Business Solutions

HANDD Business Solutions

HANDD are independent specialists in data protection with expertise at every stage of the Protect, Detect and Respond cycle, from consultancy and design, right through to installation.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

ICS Cyber Security Conference

ICS Cyber Security Conference

SecurityWeek’s Industrial Control Systems (ICS) Cyber Security Conference is the largest and longest-running event series focused on industrial cybersecurity.

BIND 4.0

BIND 4.0

Bind 4.0 is an acceleration program geared toward tech startups with solutions applied to Advanced Manufacturing, Smart Energy, Health Tech or Food Tech fields.

Netacea

Netacea

Netacea provides a revolutionary bot management solution that protects websites, mobile apps and APIs from malicious attacks such as scraping, credential stuffing and account takeover.

Q6 Cyber

Q6 Cyber

Q6 Cyber is an innovative threat intelligence company collecting targeted and actionable threat intelligence related to cyber attacks, fraud activity, and existing data breaches.

Everbridge

Everbridge

Everbridge provides enterprise software applications that automate and accelerate organizations’ operational response to critical events in order to keep people safe and businesses running.

Archon Secure

Archon Secure

Archon GoSilent Cube delivers a CSfC-certified, plug-and-play security solution for classified and unclassified communication when using the public Internet.

Torch.AI

Torch.AI

Torch.AI’s Nexus™ platform changes the paradigm of data and digital workflows, forever solving core impediments caused by the ever-increasing volume and complexity of information.

ThreatNix

ThreatNix

ThreatNix is a tight knit group of experienced security professionals who are committed to providing competent cybersecurity solutions that adhere to international standards.

Gleam Cloud Security Solutions (GCSS)

Gleam Cloud Security Solutions (GCSS)

GCSS Security is an information security firm providing cyber security protection with a highly skilled and experienced team focused on technology that creates best-in-class customer experiences.

PDQ

PDQ

PDQ helps IT professionals to manage and organize hardware, software, and configuration data for Windows- and Apple-based devices.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.

Vivid Computing Solutions

Vivid Computing Solutions

At Vivid Computing Solutions we provide comprehensive solutions that keep your business running efficiently and securely.

OryxAlign

OryxAlign

OryxAlign offer managed IT and cyber security, cloud and digital transformation, and tailored professional and consulting services.