Chinese researchers accuse NSA of being behind a powerful exploit

Chinese researchers are stepping up their attribution game.
A sign for the National Security Agency (NSA), U.S. Cyber Command and Central Security Service, is seen near the visitor's entrance to the headquarters of the NSA at the entrance in Fort Meade, Maryland, February 14, 2018. (Photo by SAUL LOEB/AFP via Getty Images)

A Chinese cybersecurity firm released a report Wednesday that revealed a decade-old exploit allegedly created by a covert hacking group associated with the U.S. National Security Agency.

The report is the first time that a Chinese cybersecurity firm has both attributed a cyberattack to a U.S. hacking group and included technical indicators of compromise.

“It’s a completely different type of report here that that seems to mimic Western name-and-shame,” said Winnona DeSombre, fellow at the Atlantic Council and Harvard’s Belfer Center.

Pangu Lab researchers said they first discovered the backdoor in 2013 during an “in-depth forensic investigation of a host in a key domestic department.” The researchers were later able to tie it to the “The Equation Group,” a group of hackers said to be affiliated with the NSA, after NSA documents leaked by a group known as the “The Shadow Brokers” published hacking files that allegedly belonged to the NSA’s operation.


“The tool is well-designed, powerful, and widely adapted,” the researchers write. “Its network attack capability equipped by 0day vulnerabilities was unstoppable, and its data acquisition under covert control was with little effort.”

Chinese firms have only publicly attributed attacks to U.S.-government affiliated hacking groups twice before: Once in 2016 and more recently in 2020 when the firm Qihoo 360 reported a decade of cyberattacks it attributed to APT-C-39, a group it affiliated with the CIA. In both cases, researchers relied on leaks of U.S. hacking materials to make their attributions.

Researchers generally share indicators of compromise so that other researchers can use them to help detect future campaigns. The Pangu Lab report includes a potential list of victims across 45 countries and five key industries.

But given that the indicators, in this case, are nearly a decade old, it’s not clear how much value they provide, said DeSombre.

Still, “it gives the potential victims a reason to go looking to see if there is something there,” said DeSombre. “So what they’ve done here is they’ve taken the Shadow Brokers leak, and they’ve taken the technical indicators that they’ve gleaned from Chinese victims, and they’ve been able to piece them together in a way that’s a very compelling narrative.”


A different setting

The relationship between the government and the cybersecurity industry in China is more regulated in China than in the United States.  A law introduced last year requires Chinese researchers to report zero-day bugs to the government first instead of vendors.

Adam Segal, director of the digital and cyberspace policy program at the Council for Foreign Relations, cautioned against making any conclusions about the Chinese government’s official stance about attributions from the Pangu Lab report.

“The official Chinese stance is that attribution is hard and states shouldn’t rush into it. That when the U.S. had done it, it’s unprofessional and unscientific,” said Segal. “I don’t see anything that dramatically shifts that position.”

Pangu Labs rolled out the report alongside a new website where it rebranded itself from just a security research company to an “attack and defense research” firm. That reframing is worth note in itself, said DeSombre.


“The threat intelligence industry in the United States is very robust when it comes to public reporting, sharing of information,” said DeSombre. “And so it’s not nearly the same in China at the moment, but it does seem to be growing slowly. And especially that willingness to target and or not target but attribute Western organizations that seem to be growing as well.”

While some U.S.-based cyber firms have proven reluctant to publicly burn U.S. cyber operations, those based outside the U.S. have sometimes been more willing.

The NSA did not immediately respond to a request for comment. Pangu Labs could not be reached for comment.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts