Researchers Reveal APT31 Threat Group Cloned NSA Tool

Laptop Chinese Hacker

There is a wide range of cybersecurity threats out there right now, which differ vastly in type, severity, and sophistication. The recent trend, spanning only a few years, has shown the preference of cybercriminals to select particularly high-severity forms of attacks.

At the top of the cyberattack food chain, that which worries cybersecurity specialists most, is what is known as Advanced Persistent Threats, or APTs. These APT ‘groups’ are the ones behind devastating high-profile cyberattacks. The groups most often operate from countries such as Russia and China and are a severe threat to governments and intelligence agencies.

It was revealed and confirmed in a new research report by Check Point Research that APT group 31 (APT31) has successfully hijacked a security tool called “Jian” that was sourced from the U.S. National Security Agency (NSA). APT31 is considered to be one of (if not the most) advanced cybersecurity threats operating now for more than 20 years.

What is an APT?

An APT is an abbreviation for Advanced Persistent Threats. Threat actors (a.k.a hackers) are behind APTs that deliver highly dangerous malware payloads to the target. Malware found in APTs is specific, in that it is designed to continue working on breaching networks even if communication is cut off.

According to threat specialists FireEye, today’s APTs “can sidestep cybersecurity efforts and cause serious damage to your organization” and that these groups “present a challenge for organizational cybersecurity efforts”.

FireEye also states that “Traditional cyber security measures such as defense-in-depth, firewalls, and antivirus cannot protect against an APT attack”.

The Shadow Brokers

Check Point Research’s retroactive research confirmed in a recent report that Chinese-affiliated group APT31 (also known as Zirconium and Judgment Panda) successfully cloned an NSA ‘hack’ tool. Research teams came across this as they were working on “Windows Privilege Escalation exploits”. News of NSA hack tool leaks is not a new occurrence, although this latest research now has concrete evidence about the origins. The evidence confirms that Chinese hackers have recompiled an NSA tool into their own version. Segments of code belonging to an NSA ‘cyber offense’ tool were found matching the code in the Chinese “Jian” tool.

The infamous ‘Shadow Brokers’ leak was in 2016, about which Check Point Research stated; “a mysterious group has decided to publicly publish a wide range of cyber weapons allegedly developed by the Tailored Access Operations (TAO) unit of the NSA”. TAO is also referred to as ‘Equation Group’. According to the same report, the Shadow Brokers leak led to the world-famous ‘WannaCry‘ attack that caused immeasurable damage, with malicious activity still lingering on the internet.

Furthermore, research has revealed that the same group has cloned and stolen NSA tools even before the Shadow Brokers leaks. It is now confirmed that “APT31 had access to the actual exploit files of Equation Group”. Chinese group (APT31) are also the same hackers that have launched phishing attempts on Trump and Biden campaigns, taking place since last June.

APT31’s Jian

The latest report by Check Point revealed that researchers have confirmed Chinese hacker group APT31 has built their “Jian tool” from an earlier “EpMe” Windows-hacking code belonging to NSA-related Equation Group. The research showed that Chinese hackers built this code in 2014, and have used it from 2015 through 2017. Check Point research team believes that the tool was indeed used against “US targets”.

The report also reveals that the hackers had gotten hold of the tool before Microsoft was able to patch it. Lockheed Martin detected that “Jian” was used for approximately two years, after which they reported the issue to Microsoft.

Apparently, Chinese spies could have gotten hold of the ‘EpMe’ code during Equation Group’s operations on a Chinese network. It is also possible that hackers could have infiltrated Equation Group’s network directly and stolen the code.

Check Point’s Statements

Tel-Aviv-based Check Point researchers Eyal Itkin and Itay Cohen confirm why this case is so important, in that “if anyone will ever manage to steal and use nation-grade cyber tools, any network would become untrusted, and the world would become a very dangerous place to live in”. In their opinion, stealing nation-grade cyber tools is akin to a nuclear submarine falling in the wrong hands -the only difference being that stealing cyber tools “can be as simple as sending an email”. All of this can “easily go under the radar”.

The need to tighten cybersecurity measures to the max is extremely evident, especially now. The inclination of cybercrime groups towards developing global threats will continue. This will be correlated to exploiting lockdowns and sensitive data being transferred online, as well as the fact that nation-states are harboring threat groups.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at, while in his free time he likes to work on documentary projects, read about sociology and write about world events.