A group of Hungarian security researchers from CrySyS Lab and Ukatemi has now revealed that the NSA dump doesn't just contain zero-day exploits used to take control of targeted systems, but also include a collection of scripts and scanning tools the agency uses to track operations of hackers from other countries.
According to a report published today by the Intercept, NSA's specialized team known as Territorial Dispute (TeDi) developed some scripts and scanning tools that help the agency to detect other nation-state hackers on the targeted machines it infects.
NSA hackers used these tools to scan targeted systems for 'indicators of compromise' (IoC) in order to protect its own operations from getting exposed, as well as to find out what foreign threat actors are stealing and which hacking techniques they are using.
"When the NSA hacks machines in Iran, Russia, China and elsewhere, its operators want to know if foreign spies are in the same machines because these hackers can steal NSA tools or spy on NSA activity in the machines," the publication reports.
"If the other hackers are noisy and reckless, they can also cause the NSA's own operations to get exposed. So based on who else is on a machine, the NSA might decide to withdraw or proceed with extra caution."NSA's Territorial Dispute team maintains a database of digital signatures, like fingerprints for file and snippets from various hacking groups, to track APT operations for attribution.
It also appears that the NSA hackers were tracking some of the tools from Dark Hotel in 2011—that's about 3 years prior to the wider security community discovered the hacking group.
Dark Hotel is a sophisticated cyber espionage group believed to be from South Korea, well known for targeting hotel Wi-Fi networks to spy on senior-level executives at organisations in manufacturing, defense, investment capital, private equity, automotive and other industries.
The group of researchers has planned to release its findings of the NSA scripts and scanning tools this week at the Kaspersky Security Summit in Cancun, which would help other researchers to dig through the data and identify more of the APT groups the NSA is hunting.
"The team also hopes the information will help the community classify some malware samples and signatures that have previously been uncovered by the security community but remain unattributed to a specific threat group because researchers don’t know to which advanced hacking group they belong," the Intercept says.Cryptography and System Security (CrySyS Lab) is best known for uncovering an Israeli spying tool called Duqu in 2011, which was believed to be developed by the same Israeli hackers who took the U.S. help to develop the infamous Stuxnet malware for sabotaging Iranian nuclear program.
