Chinese Jian malware found to be derived from NSA exploit efforts


The Israelis found out a secret about the Chinese – and it was that the Chinese were using American secrets to craft their own cyberattacks.


New reports show Israeli researchers have found that the Chinese “Jian” malware has all the hallmarks of being copied from some of the tricks of the U.S. National Security Administration.


Writing for Reuters today, Raphael Satter talks about how the Shadow Brokers, an enigmatic group of cyberpirates, published NSA material, and how bad actors used similar exploits, for example, how the WannaCry ransomware operation used the EternalBlue exploit, in which Windows Server Message block (SMB), in the parlance of wikimedia narration, “mishandled specially crafted packets.”


It seems that somewhere in this trajectory, the Chinese were able to capture some of the NSA’s core strategies for cyberattack, and created the Jian malware that Checkpoint calls the “Chinese double-edged cyber sword.” Jian basically works to elevate privileges for the hacker. It was caught by Lockheed Martin’s incident response team and reported to the security world.


“A person familiar with the matter said Lockheed Martin Corp – which is credited as having identified the vulnerability exploited by Jian in 2017 – discovered it on the network of an unidentified third party,” Satter writes.


Now, professionals will be trying to find out if the Israeli assertions are indeed true. Meanwhile, Checkpoint and other authorities on the dark world of cyberespionage are suggesting that Jian came from the Equation Group, a little-known branch of a U.S. NSA office.


“Our research started by analyzing “Jian”, the Chinese … exploit for CVE-2017-0005, which was reported by Lockheed Martin’s Computer Incident Response Team,” writ CheckPoint analysts. “To our surprise, we found out that this APT31 exploit was in fact a reconstructed version of an Equation Group exploit, dubbed ‘EpMe’. This means that a Chinese-affiliated group used an Equation Group exploit possibly against American targets.”