Although the initial leak of NSA cyberweapons by the Shadow Brokers occurred in August 2017, the fallout continues as new research uncovered an NSA tracking program designed to gather data on nation-state hacking groups.
A research team led by Boldizsár Bencsáth in the Laboratory of Cryptography and System Security (CrySyS Lab) at the Budapest University of Technology and Economics in Hungary, found NSA tracking tools created by the agency's Territorial Dispute team. Bencsáth's team found evidence that the NSA was tracking 45 malware attacks by advanced persistent threats (APT).
According to a report by The Intercept, which obtained the research prior to its official reveal at the Kaspersky Security Analyst Summit on March 9, the NSA tracking program aimed to gather information by infecting the same target system as an APT to understand not only when and who threat actors will attack but to find out what was being stolen in real time.
The NSA tracking tools included instructions to abandon a target system if there was too much risk of being discovered, including when the agency came across unknown malware, as well as instructions to seek help when known malware or "friendly tools" were discovered.
Satya Gupta, co-founder and CTO at Virsec, a cybersecurity company headquartered in San Jose, Calif., said this was evidence of "the eternal dilemma of spying."
The surprising part is how much detail continues to be exposed by the Shadow Brokers, which continues to be an intelligence disaster.
Satya Guptaco-founder and CTO, Virsec
"Staying undetected is critical to gathering ongoing intelligence, but if you don't act on the intelligence, there are risks of further damage. Given how elusive hackers are, it's understandable that [the NSA] didn't want to risk being exposed," Gupta told SearchSecurity. "This type of activity should not be a surprise and is likely widespread. The surprising part is how much detail continues to be exposed by the Shadow Brokers, which continues to be an intelligence disaster."
Leon Lerman, co-founder and CEO of Cynerio, a healthcare cybersecurity company headquartered in Tel Aviv, Israel, and other experts agreed this NSA tracking program was to be expected.
"I'm sure other countries have similar operations running to be able to identify interesting targets they should pay closer attention to and get better understanding of the tools other hackers are using to potentially improve their own tools," Lerman told SearchSecurity. "We have seen in several examples in the past, 'new' nation-state agency hacking tools were just an upgrade or a different variation of an already known malware."
NSA tracking targets
Bencsáth's team attempted to use code samples from the Shadow Brokers dump to identify the malware being tracked by the NSA. Some were found to be well-known attacks like Duqu and Dark Hotel, but others could not be identified and it's unclear if any were groups only known to the NSA. It is also unclear if any of the groups being tracked were part of friendly nation militaries.
Bencsáth told The Intercept that the NSA tracking team used as few as two-to-five indicators of compromise (IOC) to follow each group.
Gupta said this could be enough information, based on what the NSA planned to do about any APTs being monitored.
"Mathematically, five IOCs, if reliable, can give you a high degree of probability. If you're trying to identify likely bad actors, it is plenty of information," Gupta said. "But if you're trying to definitively block APTs, the bar needs to be set higher. This reinforces why spy agencies tend to prefer remaining quiet."
