Security experts at CrySyS Lab and Ukatemi have revealed that the NSA dump leaked one year ago by the Shadow Brokers hacker group also contains a collection of scripts and scanning tools the NSA uses to track operations of foreign state-sponsored hackers.
A specific NSA unit, dubbed NSA Territorial Dispute (TeDi) developed these scripts to monitor activities of nation-state actors.
“The scripts and scanning tools dumped by Shadow Brokers and studied by the Hungarians were created by an NSA team known as Territorial Dispute, or TeDi.” reported The Intercept.
“the team was supposed to detect and counter sophisticated nation-state attackers more quickly, when they first began to emerge online.”
According to The Intercept, the NSA Territorial Dispute (TeDi) was established after the US intelligence discovered a Chinese cyber espionage campaign aimed to stole designs for the Joint Strike Fighter jet and other sensitive data from U.S. defense contractors in 2007;
“As opposed to the U.S. only finding out in five years that everything was stolen, their goal was to try to figure out when it was being stolen in real time,” one intelligence source told The Intercept.
The scanning tools and script allows the intelligence to check indicators of compromise (IOCs) on targeted systems, in this way the cyberspies were able to cover their operations and detect the activities of other state-sponsored hackers.
“But their mission evolved to also provide situational awareness for NSA hackers to help them know when other nation-state actors are in machines that they’re trying to hack. ” continues The Intercept.
“When the NSA hacks machines in Iran, Russia, China and elsewhere, its operators want to know if foreign spies are in the same machines because these hackers can steal NSA tools or spy on NSA activity in the machines,”
“If the other hackers are noisy and reckless, they can also cause the NSA’s own operations to get exposed. So based on who else is on a machine, the NSA might decide to withdraw or proceed with extra caution. NSA’s Territorial Dispute team maintains a database of digital signatures, like fingerprints for file and snippets from various hacking groups, to track APT operations for attribution.”
The Intercept noticed that the NSA Territorial Dispute was tracking the Dark Hotel APT group at least since 2011.
The group was first uncovered by experts at Kaspersky Lab in 2014, it was ongoing for at least four years while targeting selected corporate executives traveling abroad.
According to the experts, threat actors behind the Darkhotel campaign aim to steal sensitive data from executives while they are staying in luxury hotels.
The attackers appear high skilled professionals that exfiltrate data of interest with a surgical precision and deleting any trace of their activity, the researchers noticed that the gangs never go after the same target twice.
“It raises questions … about whether the NSA should have leaked or published information about some of this unidentified stuff,” said Boldizsár Bencsáth, from the Laboratory of Cryptography and System Security, also known as CrySyS Lab.
“The team also hopes the information will help the community classify some malware samples and signatures that have previously been uncovered by the security community but remain unattributed to a specific threat group because researchers don’t know to which advanced hacking group they belong,”