China claims it has obtained malware used by the NSA to steal files, monitor and redirect network traffic, and remotely control computers to spy on foreign targets.
The software nasty, dubbed NOPEN, is built to commandeer selected Unix and Linux systems, according to Chinese Communist Party tabloid Global Times, which today cited a report it got exclusively from China’s National Computer Virus Emergency Response Center.
Trouble is, NOPEN was among the files publicly leaked in 2016 by the Shadow Brokers. If you can recall back that far, the Shadow Brokers stole and dumped online malware developed by the NSA’s Equation Group.
At the time, security researchers at Vectra analyzed NOPEN in the leaked Equation Group materials, and described it as a remote-access trojan for Unix-like systems, which matches the NOPEN Global Times got excited about today.
In effect, Global Times has told us China has “captured a spy tool deployed by the US National Security Agency,” a spy tool that we’ve known about for years.
Why China would like the world to once again know about NOPEN is anyone’s guess. Perhaps Beijing wanted to counter claims by the West that China has been spying on organizations and ripping off their intellectual property, or hoped to inject some extra mischief into the tense standoff between Russia, China, and the West over President Putin’s bloody invasion of Ukraine.
The NSA used NOPEN to take over “a large number” of computers around the world, and the theft of data from this equipment has caused “inestimable losses,” we were told today. The American malware would install a backdoor that once activated would allow miscreants to connect in, extract files, change the operation of the system, and explore the network for other resources to hijack or steal, it is claimed.
The NSA declined to comment on NOPEN and other claims of spies-doing-spying in the article.
Obviously the Middle Kingdom would never stoop to such tactics, such as being a major source of cyber-attacks against the US; targeting Microsoft Exchange Server; and exploiting a cow-counting web app.
This follows a similar Global Times report that claimed the NSA has been using cyber-weapons to attack almost 50 countries and regions for a decade with a specific focus on Chinese government agencies, high-tech firms, and military-related institutes.
We note NOPEN wasn’t the only NSA-developed code to land in the wrong hands. The WannaCry ransomware outbreak of 2017 used the Equation Group’s EternalBlue tool to exploit a vulnerability in Microsoft’s SMB file sharing services. Eternalblue was stolen and leaked online by the Shadow Brokers before North Korean-backed criminals used it in WannaCry to infect hospitals, banks, and other businesses across 150 countries.
The Global Times also cited an anonymous Chinese cybersecurity expert who said NOPEN is or was the primary weapon in the NSA’s cyber arsenal. “The vast majority of the NSA’s arsenal consists of stealth fighters and submarines that can easily attack victims without their knowledge,” the expert reportedly said. ®
Editor’s note: This article was revised to include NOPEN’s connection to the Equation Group and Shadow Brokers.