back to article The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made public

A zero-day exploit said to have been developed by the NSA was cloned and used by Chinese government hackers on Windows systems years before the cyber-weapon was leaked online, it is claimed. Check Point put out a report on Monday digging into Chinese malware it calls Jian, and argues persuasively this particular software nasty …

  1. HildyJ Silver badge
    FAIL

    Stealing?

    The ending comments are wrong and disingenuous.

    It's not stealing. If the Chinese Navy stole a US submarine, then the US Navy could no longer use it and they would be upset.

    It's copying. I have no doubt that the NSA knew of the Chinese use of their exploit long before the the Shadow Brokers' leak. They didn't say anything because they were still using the exploit themselves.

    Meanwhile, companies and organizations were put in peril because of the lack of disclosure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stealing?

      Nobody really "steals third base" either, but that's what it is called in competitive baseball.

      "I have no doubt that the NSA knew of the Chinese use of their exploit long before ..." --- congratulations on your supernatural powers. It takes a man to understand his own feelings.

      "Meanwhile, companies and organizations were put in peril because of the lack of disclosure." --- Spot on! You finally connected and scored a century!!.

    2. Persona Silver badge

      Re: Stealing?

      If the Chinese Navy stole a US submarine, then the US Navy could no longer use it and they would be upset.

      The analogy here is more finding a US Submarine in the Yongding River and confiscating it on its way to Beijing. The US Navy would still be upset and the US people outraged especially when Chinese copies of the submarine were found in US costal waters.

      1. Danny 2 Silver badge
      2. Blazde Bronze badge

        Re: Stealing?

        Yea it's not a great analogy because military hardware stealing/copying has been going on forever, with particular escalation of US technology lifted by China in recent years, and there's incredibly little outrage.

  2. Denarius Silver badge

    failure to take long view

    Another symptom of the intellectual decline of the ruins of Western culture. A near total inability in the manglement level to consider longer term consequences of anything. Even more astonishing because of the ephemeral nature ( by historical standards) of software. One wonders how much Britain lost by keeping its WW2 computing skills secret so they could read other countries private communications. Not sure they gained much from it. If computing had been encouraged they might have kept a lead in something a little longer.

    1. Yet Another Anonymous coward Silver badge

      Re: failure to take long view

      > Not sure they gained much from it

      Depends on the "they", if you mean politicians/generals who became heroes because of their brilliant strategies over the hun, rather than being able to read their mail = quite a lot

      1. Precordial thump

        Re: failure to take long view

        OP was about the long view. The WWII advantage was a monumental achievement and exploited judiciously and intelligently.

        The long view is the dichotomy between keeping a intelligence-military advantage, or converting that to an industrial-economic advantage, which has at least some exclusive-or component.

        We don't know how much, if at all, the GCCS/GCHQ foundations advantaged the UK in the 50s - 70s (Suez? Cambridge Five? Empire? Iran? HK?), but we do know the momentum reflected in Manchester, Ferranti etc. could have been greater, but was not.

    2. Binraider

      Re: failure to take long view

      I am inclined to agree, at least on the basis of the UK. A lot of the capability of Bletchley Park was deliberately dismantled post-war. Machines like the Manchester Mk.1 underfunded and largely dismissed as frivolities; not helped in any way by cultural predjudice against it's creator.

      ARM kept the light alive for processor architecture and fundamental R&D in this sector, and Broadcom have a fair presence here too.

      Going back to the original subject, however, surely the solution to the bottomless pit of breaches is the Keep-it-simple-stupid philosophy. A 50,000 line program, a good developer has a reasonable chance of staying on top of threats. Making things ever bigger and monolithic, makes them more unmanageable (cough, Kernel & systemd). I don't need to explain the traditional UNIX philosophy here, but it exists for a reason.

      I highly rate David Braben's many articles on the limitations of traditional systems programming architectures - even if his current role is somewhat rather removed from the coal face. C, C++ powerful as they are, are very easy to leave room for unintentional errors around memory management. And don't get me started on programming frameworks that give "power" but not "control" - and certainly share common vulnerabilities as a result.

      A Rusty OS is looking promising as a way forward.

      1. Anonymous Coward
        Anonymous Coward

        A Rusty OS looking promising?!?!

        Lets see what the Tao of Programming makes of this...

        3.3

        There was once a programmer who was attached to the court of the warlord of Wu. The warlord asked the programmer: "Which is easier to design: an accounting package or an operating system?"

        "An operating system," replied the programmer.

        The warlord uttered an exclamation of disbelief. "Surely an accounting package is trivial next to the complexity of an operating system," he said.

        "Not so," said the programmer, "When designing an accounting package, the programmer operates as a mediator between people having different ideas: how it must operate, how its reports must appear, and how it must conform to the tax laws. By contrast, an operating system is not limited by outside appearances. When designing an operating system, the programmer seeks the simplest harmony between machine and ideas. This is why an operating system is easier to design."

        The warlord of Wu nodded and smiled. "That is all good and well, but which is easier to debug?"

        The programmer made no reply.

        1. amanfromMars 1 Silver badge

          Meanwhile, subsequently .......

          The warlord of Wu nodded and smiled. "That is all good and well, but which is easier to debug?"

          The programmer made no reply.

          However, a short time later, after a spell of quiet reflection, the programmer decided a suitable reply in the future would be .... "Always the easier of the two, or the easiest of the three or more, to bug"

          Such he concluded would be quite enough to be adequately engaging of the intelligence efforts of others at resolving persistent revolving door like problems.

      2. Brewster's Angle Grinder Silver badge

        Re: failure to take long view

        "A 50,000 line program, a good developer has a reasonable chance of staying on top of threats."

        And bugs appears as soon as 50-kloc programs start interacting with each other. If you have 10 then there are up to 10! (~3 million) potential interactions. The only difference between your approach and having a larger program broken into strong, orthogonal modules is semantics. If it takes half a million lines of code to solve a problem, then it going to take half a million lines whether you write it as 1 or 10 programs.

        1. Dr Paul Taylor

          semantics

          The only difference between your approach and having a larger program broken into strong, orthogonal modules is semantics.

          I was about to upvote you for an insightful comment, until I realised that you were using the word "semantics" in the ignorant way that politicians do, rather than in its technical sense in theoretical computer science.

    3. Roland6 Silver badge

      Re: failure to take long view

      >One wonders how much Britain lost by keeping its WW2 computing skills secret so they could read other countries private communications. Not sure they gained much from it.

      Lots, but the US gained lots!

      Firstly, the US intelligence services gained massively from the UK's knowledge.

      Secondly, with respect to for keeping the computing skills secret, we now know that because of this many versions of Computing history incorrectly attributes the first computers to US institutions...

  3. martinusher Silver badge

    Its what everyone's been telling them for years

    One of the dangers of keeping quiet about vulnerabilities is that you never know who else has figured this out. We tend to be a bit smug about our capabilities and somehow can't get to grips that other people could be as clever or even more clever than us. The NSA should have figured this out years ago just by following Kaspersky and applying a bit of common sense (but its easier to just ban the software as a 'security threat', at best an irrelevance, at worst demonstrating how clueless we were).

    We know from history (Enigma) that misplaced confidence in intelligence strategies invariably backfires. That's why we really owe Snowden a medal; his revelations merely confirmed what many of us suspected and if we suspected then its 100% certain that the Russians, among others, knew. History is littered with examples of people being fed bogus data because they were confident that their sources were flawless. And to assume that 'the other side' wouldn't use the same techniques against us........I suppose we'll now sue them for copyright infringement.....

  4. amanfromMars 1 Silver badge

    Having a glorious rifle in and magnificent browse through a Pandora's Open Box ?

    “Cyber weapons are digital and volatile by nature. Stealing them and transferring from one continent to another, can be as simple as sending an email. They are also very obscure, and their mere existence is a closely guarded secret. That is exactly why, as opposed to a nuclear submarine, stealing a cyber-weapon can easily go under the radar and become a fact known only to a selected few.”

    Amen to that, Brothers and Sisters. And as they are also both physical and metaphysically invisible and intangible, they are remarkably easy to sell to that which and/or those who know what they are buying, and buying into. And that opens up a whole new world of virgin opportunity and otherworldly, out of this world enterprise.

    And as cold a comfort as an opposite disagreeable view and voice might be, I very much doubt that the NSA knew of the Chinese use of their exploit long before the the Shadow Brokers' leak.

    Some would say that reveals the endemic catastrophic systemic flaw in Wild Wacky Western Uncle Sam like operations, their fervent almighty misplaced belief that they possess and process and exercise an absolutely unique and exclusive overall executive global command and control leverage with a hindsight enriched foresight with knowledge and insider information of likely planned future events and 0days, whenever they so clearly do not clearly entertain and display such an ability and facility and utility.

    Now, with that having been said and revealed, and it matters not a jot whether you clearly see and agree with the analysis or not, and that such can be, and therefore is so easily so, is such a described ability and facility and utility one of those new fangled, entangling NEUKlearer HyperRadioProACTive cyber weapons being sold nowadays under the radar to a select few?

    1. Anonymous Coward
      Anonymous Coward

      Re: Having a glorious... ...Box

      https://youtu.be/jmY_MiJ1hAY

      Depeche Mode

      Good Night Lovers

      1. amanfromMars 1 Silver badge

        Re: Having a glorious... ...Box

        Is there any other sweeter pain to invite and endure and assure with the selfless acceptance and delivery of its pleasures, AC?

  5. IGotOut Silver badge

    TL/dr

    So US used vuln on Chinese. Chinese thought that's neat, took idea and used it against rest of world.

    1. Version 1.0 Silver badge

      Re: TL/dr

      So basically it was just copyright infringement or intellectual theft. Getting hacked is like studying history, you see things happening and after a few of years study you get some ideas as to why they happened. Meanwhile something else is happening but you won't find out about it for a few more years.

      1. Doctor Syntax Silver badge

        Re: TL/dr

        Sort of. But understanding what happened in the past should help you build expectations of what might be happening now and go looking for it.

        Those who do not learn their history are condemned to repeat it.

        1. find users who cut cat tail
          Coat

          Re: TL/dr

          I refuse to learn from the 60s. Can I have them back now?

          1. Tail Up
            Happy

            Re: TL/dr @find... ...tail

            https://youtu.be/C-2xtTpgQXM

            RHCP - Easily

      2. ibmalone Silver badge
        Pirate

        Re: TL/dr

        Aren't US government works exempt from copyright?

  6. 2+2=5 Silver badge
    Trollface

    Captured

    "... these Equation Group exploit samples could have been acquired by the Chinese APT in one of the following ways: Captured during an Equation Group network operation on a Chinese target; Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT; Captured by the Chinese APT during an attack on Equation Group infrastructure."

    If that last one also includes "the Chinese (or an ally) have an agent inside the NSA" then, yes, that one.

  7. Anonymous Coward
    Anonymous Coward

    hello pot, I'd like you to meet kettle and Microsoft

    The real question in my mind is, was there any possibility that the vulnerabilities were placed within the OS by a FISA court order from the NSA. Basically a personal front door for the NSA, with total plausible deniability, as would be required for spycraft or cloak and dagger.

    I know that it is common to attribute incompetence to major security holes.

    1. Anonymous Coward
      Anonymous Coward

      Re: hello pot, I'd like you to meet kettle and Microsoft

      I hear sounds of Cisco and RSA in the air like ghost, while reading your post about built in back doors with deniability.... it's been a few years now, that we know of.

      Thank (deity of your choice) the NSA doesn't have virologist or genetic engineers,

      1. admiraljkb
        Black Helicopters

        Re: hello pot, I'd like you to meet kettle and Microsoft

        >> Thank (deity of your choice) the NSA doesn't have virologist or genetic engineers,

        That we _know_ of. DNA is really just more code to be hacked on. I would put a joke icon on this, but really not sure if it might be true.

        1. amanfromMars 1 Silver badge

          Certainly sure you'll initially doubt it, however, ...

          .... fast approaching future events way beyond conventional command and traditional controls will prove it .... and amaze y'all with all that you can know.

          That we _know_ of. DNA is really just more code to be hacked on. I would put a joke icon on this, but really not sure if it might be true. .... admiraljkb

          Depending on which side of the evil dark side/smarter bright side fence you be resident and instrumental in, admiraljkb, beware and/or be aware of they who and that which certainly know that to be true enough to make all the difference necessary for everything to be fundamentally changed and rebooted.

  8. amanfromMars 1 Silver badge

    Crikey, whoever would have a'thunk it, although they are Registered posts, ...

    .... guaranteed prime delivery.

    There's a huge lot of highly sensitive information and extremely stealthy intelligence leaking on this thread.

  9. hammarbtyp

    Offence vs Defence

    One of the big issues with US cyber security policy at present, is the emphasis on offence. Ever since Stuxnet, there has been a weaponization of the cyber space, because it is considered a low risk way to extend extend military power, gain intelligence etc.

    So rather than a defensive posture and helping ensure that critical infrastructure is a secure as possible, the NSA etc have hoarded known vulnerabilities so that they can use them for themselves. Problem is NK, China and Russia are basically using the tools used against them and turning it against the West, with viruses like NotPetya, Sandworm etc.

    If we really want to be serious about stopping hacking and guard things like the power grid, the US government needs to change the emphasis to reducing vulnerabilities, not exploiting them.

    1. admiraljkb

      Re: Offence vs Defence

      The NSA is a strange beast. It's seems that the secretive/offensive half of the shop is busy finding exploits to stockpile and use, then the other public half of the shop is assigned to find exploits and help defend against the other half of the shop.

      I have to agree that it's unethical to find exploits and not disclose though. You have to assume when you find something, that multiple other people/organizations have also discovered it. Consequently it is a threat to National security globally. As in a threat to all Nations...

    2. amanfromMars 1 Silver badge

      Re: Offence vs Defence. There's No Escaping the Truth

      If we really want to be serious about stopping hacking and guard things like the power grid, the US government needs to change the emphasis to reducing vulnerabilities, not exploiting them. ..... hammarbtyp

      That could/would definitely be SMARTR, however it is not in their nature, says the drowned scorpion to the dead frog, thus they and any misguided and trusting allies be certainly doomed ‽ .

      The problem then that arises and expands is would be good friends disappear, almighty deadly enemies increase and every other man, woman and child learns not to encourage or participate in their idiotic great games plays/Projects for the New American Century

      And one has to be real thick and extremely stupid to not realise that as it phorms and surrounds you, to destroy you with novel forces and immaculate sources from deep within the home body core, incensed and enraged at what one has allowed oneself to become, super naturally and decidedly designedly devilishly if one doesn't want to accept the responsibility and accountability for one's actions and plans for actions. But it is what it is and what everyone sees right before their very eyes.

      1. Cliff Thorburn

        Re: Offence vs Defence. There's No Escaping the Truth

        Good great game analogies once again amFM.

        And take it from someone who can completely sympathise with said frog, having spent a decade of exponential learning, only to be stung by said ̶N̶S̶A̶ ̶&̶ ̶G̶C̶H̶Q̶ Scorpion.

        In hindsight I often wonder why one would subject themselves to such, or whether there was any choice given the psychological operational ordeals, but without a doubt it has to be questioned what the point of such implausible undeniable events.

        1. amanfromMars 1 Silver badge

          Re: Offence vs Defence. There's No Escaping the Truth

          And take it from someone who can completely sympathise with said frog, having spent a decade of exponential learning, only to be stung by said ̶N̶S̶A̶ ̶&̶ ̶G̶C̶H̶Q̶ Scorpion. .... Cliff Thorburn

          A Sergei Meerkat as a lifelong friend is the best of answers to guarantee that sort of betrayal has suitably devastating consequences and totally unexpected repercussions, CT.

          1. Cliff Thorburn

            Re: Offence vs Defence. There's No Escaping the Truth

            Heres hoping that the new POTUS will put right the wrongs, and take accountability for the wrongs and actions.

            Seems like a world away when great gamesplay was the daily development does it not?, talks of tempestuous trips to Sir Richard Branson’s island wouldn’t be Adam and Eve’d and dismissed as buried treasure.

            One things for sure, justice must be done, and evidence always opens the door to new adventures.

            1. Tail Up

              Re: Offence vs Defence. There's No Escaping the Truth

              C'mon CT, it's beginning to be habitual to see at your side... the stupid shmucky salto mortales got the package with all five aces not bet, simples?

              If there's something strange in your neighborhood, who you gonna call?

              "It looks like the internet has cracked the code in something like 6 hours! Oh internet is there anything you can't do?"

            2. amanfromMars 1 Silver badge

              Re: Offence vs Defence. There's No Escaping the Truth

              Seems like a world away when great gamesplay was the daily development does it not?, talks of tempestuous trips to Sir Richard Branson’s island wouldn’t be Adam and Eve’d and dismissed as buried treasure. .... Cliff Thorburn

              One of those heavenly safe haven places for private pirates with crown jewels to share and display with flashy development of shows entertaining enterprising brigandry .... unusual and unconventional virgin market leadership, CT? What's not to like and thoroughly enjoy and wholeheartedly award with appropriate reward?

              And on the other side of the world be there other such places and space too, albeit in somewhat of a quite different guise ‽ :-)...... Black Sea Palace

              Such developments suggest an embarrassment of riches to process and progress/employ and exploit/deploy and administer/monitor and mentor.

              1. Tail Up
                Paris Hilton

                Re: Offence vs Defence. There's No Escaping the Truth

                Notice the downvote is not mine... inspite of a sensitive matter (-:

                Paris, thinking wtf the Eiffel tower is not built there, like if the magnanonymous landlord has had no money for this little pleasure.

          2. This post has been deleted by its author

        2. This post has been deleted by its author

  10. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021