The Strange Journey of an NSA Zero-Day—Into Multiple Enemies' Hands
How a "secret" hackable bug found by the NSA was used over by Chinese, North Korean, and Russian hackers to wreak havoc.
THE NOTION OF a so-called zero-day vulnerability in software is supposed to mean, by definition, that it's secret. The term refers to a hackable flaw in code that the software's maker doesn't know about but that a hacker does—in some cases offering that hacker a powerful, stealthy skeleton key into the hearts of millions of computers. But according to new findings from security firm Symantec, one extraordinarily powerful flaw in Microsoft software at one point remained "secret" to Microsoft while at least three active hacker groups knew about it. And both before and after that secret became public in early 2017, it took a long, strange trip through the hands of intelligence agencies around the world, enabling years of espionage and, eventually, mayhem.
On Monday, Symantec revealed that it had traced how a hacker group it calls Buckeye—also known as APT3 or Gothic Panda and widely believed to be a contractor of the Chinese Ministry of Security Services—used NSA hacking tools apparently intercepted from the networks of NSA targets and repurposed those tools to use against other victims, including US allies. Most notably, Symantec says, the Chinese group's hacking had planted an NSA backdoor on the network of its victims using a zero-day vulnerability in Microsoft's Server Message Block (SMB) software, also seemingly learned by studying the NSA's hacking tools.