When the mysterious entity known as the “Shadow Brokers” released a tranche of stolen NSA hacking tools to the internet a year ago, most experts who studied the material homed in on the most potent tools, so-called zero-day exploits that could be used to install malware and take over machines. But a group of Hungarian security researchers spotted something else in the data, a collection of scripts and scanning tools that the National Security Agency uses to detect other nation-state hackers on the machines it infects.
It turns out those scripts and tools are just as interesting as the exploits. They show that in 2013 — the year the NSA tools were believed to have been stolen by the Shadow Brokers — the agency was tracking at least 45 different nation-state operations, known in the security community as advanced persistent threats, or APTs. Some of these appear to be operations known by the broader security community — but some may be threat actors and operations currently unknown to researchers.
The scripts and scanning tools dumped by Shadow Brokers and studied by the Hungarians were created by an NSA team known as Territorial Dispute, or TeDi. Intelligence sources told The Intercept that the NSA established the team after hackers, believed to be from China, stole designs for the military’s Joint Strike Fighter plane, along with other sensitive data, from U.S. defense contractors in 2007; the team was supposed to detect and counter sophisticated nation-state attackers more quickly, when they first began to emerge online.
“As opposed to the U.S. only finding out in five years that everything was stolen, their goal was to try to figure out when it was being stolen in real time,” one intelligence source told The Intercept.
But their mission evolved to also provide situational awareness for NSA hackers to help them know when other nation-state actors are in machines that they’re trying to hack. The NSA could not immediately be reached for comment.
“Their goal was to try to figure out when it was being stolen in real time.”
When the NSA hacks machines in Iran, Russia, China, and elsewhere, its operators want to know if foreign spies are in the same machines because these hackers can steal NSA tools or spy on NSA activity in the machines. If the other hackers are noisy and reckless, they can also cause the NSA’s own operations to get exposed. So based on who else is on a machine, the NSA might decide to withdraw or proceed with extra caution. Indeed, there are a number of warnings and other comments among the Territorial Dispute data instructing operators what to do when they discover certain malware files of particular interest — “UNKNOWN – PLEASE PULL BACK” are the instructions to operators for one file; “DANGEROUS MALWARE – SEEK HELP ASAP” and “FRIENDLY TOOL – SEE HELP ASAP” apply to others.
“They started to become concerned about sitting on a box with our tools and there being other actors there that could steal or figure out what we were doing. It was to avoid being detected,” a second intelligence official familiar with the program told The Intercept.
The Territorial Dispute scripts use digital signatures to hunt APT actors. Such signatures act like fingerprints for hacking groups — they can include file names or snippets of code from known malware that the advanced threat actors use repeatedly or particular changes the advanced hackers are known to make to a machine’s core operating system settings. Such elements are called indicators of compromise, or IoC, by the security community.
None of the advanced threat groups are identified in the NSA scripts by names commonly used for them by the research community — instead the NSA calls them Sig1, Sig2, etc. — but the Hungarian researchers have spent the last year going through the scripts to try to match them to known malware samples and advanced threat groups. They have also studied the sequence of signatures in the NSA’s numbered list to determine when the Territorial Dispute team added certain operations to the list and see if the NSA may have known about certain operations before the security community.
In at least one case, involving a sophisticated hacking group known as Dark Hotel, believed to be from South Korea and targeting entities in Asia, it appears the NSA may have been tracking some of the group’s tools in 2011, about three years before the broader security community discovered them.
“It raises questions … about whether the NSA should have leaked or published information about some of this unidentified stuff,” said Boldizsár Bencsáth, from the Laboratory of Cryptography and System Security, also known as CrySyS Lab.
The research team, led by Bencsáth, includes colleagues from his lab and researchers from the Hungarian security firm Ukatemi. The CrySyS Lab is best known for its 2011 discovery of an Israeli spy tool called Duqu, believed to be created by some of the same Israeli hackers who were involved in developing the famous Stuxnet digital attack used to sabotage Iran’s nuclear program.
Bencsáth’s team plans to release its findings about the NSA scripts this week at the Kaspersky Security Summit in Cancun, Mexico, in the hopes that other researchers will dig through the data to identify more of the advanced threat groups that the NSA is hunting. The team also hopes the information will help the community classify some malware samples and signatures that have previously been uncovered by the security community, but remain unattributed to a specific threat group because researchers don’t know to which advanced hacking group they belong. The team has only been able to definitively identify a handful of the advanced threat groups so far, with plausible guesses about many others.
“Based on the current results, some attacks, samples, or even hundreds of samples will get to be identified as part of some APT attacks that [were] previously unknown or partially unknown,” the team’s report states.
Bencsáth notes that in most cases the NSA used between two and five indicators of compromise for each threat group it was hunting, even though security researchers can generally amass dozens or, in some cases, even hundreds for a hacking group. One of the intelligence officials told The Intercept that the NSA only needs a few high-quality signatures to find an APT. “It’s a big myth that there are thousands of [signatures] for any particular groups,” he notes. “These [Territorial Dispute] guys really focus on finding the two or three telltale signs that could lock you in [on an APT].”
The NSA doesn’t just scan for foreign threat actors to protect its own operations, it’s also interested in observing what the foreign hackers are stealing and how they’re doing it. And such scanning can also help the NSA uncover high-value targets in geographical regions where it might lack the insight needed to identify the best machines to target.
“In some regions where you might not have all the specific insights it could be very important to know if you’re on the right box,” the second official told The Intercept. If multiple threat actors are on the same machine, this would indicate a valuable target.
In fact, it’s not uncommon to find multiple advanced persistent threat groups on high-value systems. In March 2014, Kaspersky Lab discovered multiple groups on a machine at a research institute in the Middle East that Kaspersky dubbed the “Magnet of Threats”; in addition to Regin, believed to be a British spy kit, they found the NSA’s Equation Group malware, as well as modules belonging to Flame, believed to be an Israeli operation; Animal Farm, believed to belong to French intelligence; Careto (or Mask), believed to be a Spanish-speaking nation-state group; and Turla, a Russian-speaking group.
The Territorial Dispute team created their signatures for APTs in sequential order; whenever a new attack was uncovered or someone found something interesting that was suspected of being an advanced threat group, a new signature was created, according to one of the intelligence sources. Although the team initially focused on Chinese and Russian hacking groups, those of other nations got added over time, including Israel and even the U.S., as Bencsáth’s team discovered.
Sig1, the first NSA malware signature on the list when it was created in 2007, refers to Agent.btz, according to Bencsáth’s team. Dubbed “the most serious breach of the U.S. military’s classified computer systems,” the Agent.btz worm is believed to have been introduced to the Department of Defense’s high-security Secret Internet Protocol Router, or SIPR, network for classified information from a USB stick that a soldier picked up at an internet cafe in Afghanistan. It has been attributed to Russia.
Bencsáth’s team identifies Sig25 as the threat actor known to researchers as Dark Hotel and Tapaoux. A top-tier actor, the group is believed to have been active since 2007 and targets high-profile executives, government agencies, and NGOs, with their primary focus being entities in North Korea, Japan, and India — countries in Asia with nuclear programs. “Their targeting is nuclear-themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments,” Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, has said. Raiu’s team, which publicly exposed some of Dark Hotel’s hacks in 2014, found indications it may have originated from South Korea.
One of the former intelligence officials told The Intercept that Sig16 is an Israeli APT. The Hungarian researchers believe this signature is for Flame, a massive spy kit discovered by Kaspersky Lab in 2012 and believed to have been created in 2007 by the some of the same team that worked on Stuxnet.
Sig8 on the NSA list is looking for signs of Stuxnet infections on machines, according to Bencsáth’s team.
Why would the NSA be searching machines it’s hacking for its own malware or that of its hacking allies? In the case of hacking tools belonging to the close U.S. allies in the “Five Eyes” group that includes the United Kingdom, Canada, Australia, and New Zealand, it’s likely looking for these for deconfliction purposes, so that parties with mutual interests aren’t running into each other on the same machines. But in the case of Stuxnet, one of the former intelligence officials said that signatures were added by the Territorial Dispute team in 2010 after Stuxnet had begun to spread uncontrollably — spreading that led to its discovery and public exposure.
“There were cleanup efforts,” the official said.
All of this raises questions about what NSA operators are told about the APTs for which they’re scanning. Stuxnet was a highly classified, closely held operation that was known to only a small group of people in the government and the NSA, so telling operators about the malware Sig8 was trying to detect could have put the cover operation at risk of being exposed. For this reason, the former intelligence officials told The Intercept that the operators are kept largely in the dark.
“The guys running ops were told they had to start running these scripts to see if any of these other tools were there,” he said. “But they don’t know what any of the things are.”