The Strange Journey of an NSA Zero-Day—Into Multiple Enemies' Hands

How a "secret" hackable bug found by the NSA was used over by Chinese, North Korean, and Russian hackers to wreak havoc.
scan of different keys
Elizabeth Livermore/Getty Images

The notion of a so-called zero-day vulnerability in software is supposed to mean, by definition, that it's secret. The term refers to a hackable flaw in code that the software's maker doesn't know about but that a hacker does—in some cases offering that hacker a powerful, stealthy skeleton key into the hearts of millions of computers. But according to new findings from security firm Symantec, one extraordinarily powerful flaw in Microsoft software at one point remained "secret" to Microsoft while at least three active hacker groups knew about it. And both before and after that secret became public in early 2017, it took a long, strange trip through the hands of intelligence agencies around the world, enabling years of espionage and, eventually, mayhem.

On Monday, Symantec revealed that it had traced how a hacker group it calls Buckeye—also known as APT3 or Gothic Panda and widely believed to be a contractor of the Chinese Ministry of Security Services—used NSA hacking tools apparently intercepted from the networks of NSA targets and repurposed those tools to use against other victims, including US allies. Most notably, Symantec says, the Chinese group's hacking had planted an NSA backdoor on the network of its victims using a zero-day vulnerability in Microsoft's Server Message Block (SMB) software, also seemingly learned by studying the NSA's hacking tools.

That newly revealed hijacking of the NSA's intrusion techniques doesn't just dredge up longstanding questions about how and when the NSA should secretly exploit software vulnerabilities to use for spying rather than help software companies to fix them. It also adds another chapter to the strange story of this particular zero-day's journey: Created by the NSA, intercepted by China, later stolen and leaked by another mysterious hacker group known as the Shadow Brokers, and ultimately used by North Korea and Russia in two of the most damaging and costly cyberattacks in history.

"Based on what we know historically, it’s extremely unusual to have a zero-day be utilized like this by multiple groups, some of them unbeknownst to each other, for years," says Eric Chien, a Symantec security analyst. "I can’t think of another case where something like this has ever happened."

With the addition of Symantec's findings, here's what we now know about the timeline of that zero-day's path.

Born at the NSA

The SMB vulnerability—labelled as CVE-2017-0143 and CVE-2017-0144 in two slightly different forms—appears to have first been discovered by the NSA sometime before 2016, though the NSA has never publicly admitted to having used it; it wouldn't be tied to the agency until it leaked in 2017, revealing its integration in NSA tools called EternalBlue, EternalRomance, and EternalSynergy.

The SMB zero-day no doubt represented a kind of precious specimen for the agency's spies: Microsoft's SMB feature allows the sharing of files between PCs. But the agency's researchers found that it could be tricked into confusing harmless data with executable commands that an attacker injected via SMB into a computer's memory. That made it a rare entry point that the NSA's hackers could use to run their own code on practically any Windows machine with no interaction from the target user, and one that offered access to the computer's kernel, the deepest part of its operating system. "It’s exactly the kind of vulnerability someone would want," Chien says. "The target doesn’t have to open a document or visit a website. You have a machine on the internet, and I can get you with it. I immediately have the highest privileges available to me."

Or, as Matthew Hickey, founder of security firm Hacker House, at one point described it, "It’s internet God mode."

Adopted by China

Symantec found that by March 2016, the SMB zero-day had been obtained by the Chinese BuckEye group, which was using it in a broad spying campaign. The BuckEye hackers seemed to have built their own hacking tool from the SMB vulnerability, and just as unexpectedly were using it on victim computers to install the same backdoor tool, called DoublePulsar, that the NSA had installed on its targets' machines. That suggests that the hackers hadn't merely chanced upon the same vulnerability in their research—what the security world calls a bug collision.; they seemed to have somehow obtained parts of the NSA's toolkit.

Symantec's researchers say they still don’t know how the BuckEye hackers got the NSA’s hacking secrets. But Symantec's Chien says their theory is that the tools were found in victim networks, reverse-engineered, and repurposed. "It doesn't look like they had the exploit executables,” says Jake Williams, a former NSA hacker and now founder of security firm Rendition Infosec, who reviewed Symantec's findings. "But it's possible they were able to steal them [when they were] being thrown at targets by monitoring network communications."

Symantec says it detected BuckEye’s hackers in five different intrusions, stretching from March 2016 to August 2017, all using the combination of the SMB exploit and the NSA's DoublePulsar backdoor. Those intrusions, all seemingly bent on espionage, hit telecommunications companies as well as research and educational organizations in Hong Kong, the Philippines, Vietnam, Belgium, and Luxembourg.

Leaked and Weaponized

Starting a year after those stealthy intrusions began, however, the NSA's zero-day was hijacked in a far more public fashion. In April 2017, a still-mysterious group calling itself the Shadow Brokers dumped the NSA's EternalBlue, EternalRomance, EternalSynergy, and DoublePulsar tools into public view, part of a series of leaks from the group that had started the previous summer with a failed attempt to auction the stolen tools to the highest bidder. It's still entirely unclear how the NSA's crown jewels ended up in the Shadow Brokers' hands, though theories include a rogue NSA insider selling the tools and hackers chancing upon an NSA "staging server," a machine used as a kind of remote outpost from which to launch operations.

Anticipating that leak, Microsoft had pushed out an emergency SMB patch after a warning from the NSA. Nonetheless, over the next two months, the now-public EternalBlue and EternalRomance were integrated into a pair of nation-state cyberattacks that hit the vast numbers of still-unpatched computers across the globe, with catastrophic consequences.

First, the North Korean–coded WannaCry worm tore through the internet, combining EternalBlue with a ransomware payload that encrypted hundreds of thousands of computers, from police departments in India and universities in China to the National Health Service in the United Kingdom. The next month, Russian military intelligence hackers combined EternalBlue and EternalRomance with the open source hacking tool Mimikatz to create an even larger digital debacle. That second worm was targeted at Russia's enemies in Ukraine and wiped an estimated 10 percent of the country's computers. But it quickly spread beyond Ukraine's borders, paralyzing companies such as Maersk, a European subsidiary of FedEx, the US pharmaceutical Merck, and many others, costing a record-breaking $10 billion in damage.

Despite the NSA's decision to help Microsoft patch its SMB flaw before those attacks, the agency has already faced plenty of criticism for having kept its zero-day secret for as long as it did. But with Symantec's latest revelations, the knowledge of yet another hacker campaign that had somehow obtained that zero-day and was using it for global spying will no doubt spark those criticisms again. It may lead to a reexamination of the White House's so-called Vulnerabilities Equities Process, a system of determining which flaws that US agencies discover should be patched and which ones should be used for operations. "No matter how you play it, the fact that someone else besides the Shadow Brokers had these exploits is extremely concerning and raises serious questions about our vulnerability equities process," Williams says.

But others counter that the reuse of hacking tools by adversaries should be part of the expected cost of using them in the first place. And as Symantec's BuckEye research shows, that cost may be entirely hidden: The reuse of a zero-day by an adversary can remain as secret as its initial use for years afterward—more than three years, in this case.

"When you utilize a vulnerability, it has a chance to be discovered," Chien says. “That can happen, and we saw it happen here. But we didn’t know it had happened for quite some time.”


More Great WIRED Stories