A years ago when the mysterious hacking group ‘The Shadow Brokers’ dumped a massive trove of sensitive data stolen from the US intelligence agency NSA, everyone started looking for secret hacking tools and zero-day exploits.
A group of Hungarian security researchers from CrySyS Lab and Ukatemi has now revealed that the NSA dump doesn’t just contain zero-day exploits used to take control of targeted systems, but also include a collection of scripts and scanning tools the agency uses to track operations of hackers from other countries.
According to a report published today by the Intercept, NSA’s specialized team known as Territorial Dispute(TeDi) developed some scripts and scanning tools that help the agency to detect other nation-state hackers on the targeted machines it infects.
“When the NSA hacks machines in Iran, Russia, China and elsewhere, its operators want to know if foreign spies are in the same machines because these hackers can steal NSA tools or spy on NSA activity in the machines,” the publication reports.
“If the other hackers are noisy and reckless, they can also cause the NSA’s own operations to get exposed. So based on who else is on a machine, the NSA might decide to withdraw or proceed with extra caution.”
NSA’s Territorial Dispute team maintains a database of digital signatures, like fingerprints for file and snippets from various hacking groups, to track APT operations for attribution.
According to the researchers, when the Shadow Brokers managed to hack the NSA networks and stole a collection of sensitive files in 2013, the agency was tracking at least 45 different state-sponsored APT groups.
The group of researchers has planned to release its findings of the NSA scripts and scanning tools this week at the Kaspersky Security Summit in Cancun, which would help other researchers to dig through the data and identify more of the APT groups the NSA is hunting.
“The team also hopes the information will help the community classify some malware samples and signatures that have previously been uncovered by the security community but remain unattributed to a specific threat group because researchers don’t know to which advanced hacking group they belong,” the Intercept says.