Skip links

China thrilled it has captured already-leaked NSA cyber-weapon

China claims it has obtained malware used by the NSA to steal files, monitor and redirect network traffic, and remotely control computers to spy on foreign targets.

The software nasty, dubbed NOPEN, is built to commandeer selected Unix and Linux systems, according to Chinese Communist Party tabloid Global Times, which today cited a report it got exclusively from China’s National Computer Virus Emergency Response Center.

Trouble is, NOPEN was among the files leaked in 2016 by the Shadow Brokers. If you can recall back that far, the Shadow Brokers stole and dumped online malware developed by the Equation Group, which is understood to be a team within the NSA.

At the time, security researchers at Vectra analyzed NOPEN in the leaked Equation Group materials, and described it as a remote-access trojan for Unix-like systems, which matches the NOPEN Global Times got excited about today.

In effect, Global Times has told us China has “captured a spy tool deployed by the US National Security Agency,” a spy tool that we’ve known about for years. Why China would like the world to know about again NOPEN now is anyone’s guess. Perhaps Beijing wanted to counter claims by the West that China has been spying on organizations and ripping off their intellectual property, or hoped to inject some extra mischief into the tense standoff between Russia, China, and the West over President Putin’s invasion of Ukraine.

NSA used NOPEN to take over “a large number” of computers around the world, and the theft of data from this equipment has caused “inestimable losses,” the tabloid reported. The American malware would install a backdoor that once activated would allow miscreants to connect in, extract files, change the operation of the system, and explore the network for other resources to hijack or steal.

The NSA did not immediately respond to inquiries from The Register about NOPEN and other claims of spies doing spying in the article.

Obviously the Middle Kingdom would never stoop to such tactics itself: other than being the top spot for cyber-attacks against the US, the Microsoft Exchange Server debacle, and let’s not mention the cows.

This follows a similar Global Times report that claimed the NSA has been using cyber-weapons to attack almost 50 countries and regions for a decade with a specific focus on Chinese government agencies, high-tech firms, and military-related institutes. 

While it’s not out of the ordinary for Beijing to accuse Washington of cyber espionage and related attacks, NOPEN wouldn’t be the first time that NSA-developed offense code landed in the wrong hands. Perhaps the most infamous example of this is the WannaCry ransomware attack in 2017, which used the Equation Group’s EternalBlue tool to exploit a vulnerability in Microsoft’s SMB file sharing services.

Eternalblue was stolen and leaked online before North Korean-backed criminals used it in WannaCry to infect hospitals, banks, and other businesses across 150 countries.

The Global Times also cited an anonymous Chinese cybersecurity expert who said NOPEN is or was the primary weapon in the NSA’s cyber arsenal. “The vast majority of the NSA’s arsenal consists of stealth fighters and submarines that can easily attack victims without their knowledge,” the expert reportedly said. ®