When the still-unidentified group calling itself the Shadow Brokers spilled a collection of NSA tools onto the internet in a series of leaks starting in 2016, they offered a rare glimpse into the internal operations of the the world's most advanced and stealthy hackers. But those leaks haven't just let the outside world see into the NSA's secret capabilities. They might also let us see the rest of the world's hackers through the NSA's eyes.

Over the last year, Hungarian security researcher Boldizsár Bencsáth has remained fixated by one of the less-examined tools revealed in that disemboweling of America's elite hacking agency: A piece of NSA software, called "Territorial Dispute," appears to have been designed to detect the malware of other nation-state hacker groups on a target computer that the NSA had penetrated. Bencsáth believes that specialized antivirus tool was intended not to remove other spies' malware from the victim machine, but to warn the NSA's hackers of an adversary's presence, giving them a chance to pull back rather than potentially reveal their tricks to an enemy.

That means the Territorial Dispute tool might offer hints of how NSA sees the broader hacker landscape, argues Bencsáth, a professor at CrySys, the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics. In a talk on the leaked software at Kaspersky's Security Analyst Summit later this week—and in a paper he's planning to post to the CrySys website on Friday and asking others to contribute to—he's calling on the security research community to join him in investigating the software's clues.

'Some of these attacks might even still be ongoing and alive.' Boldizsár Bencsáth, CrySys

In doing so, Bencsáth hopes to determine which other countries' hackers the NSA has been aware of, and when they became aware of them. Based on some matches he's established between elements of Territorial Dispute's checklist and known malware, he argues the leaked program potentially shows that the NSA had knowledge of some groups years before those hackers' operations were revealed in public research. Since it also includes checks for some malware he hasn't been able to match with public samples, Bencsáth believes the tool demonstrates the NSA's knowledge of some foreign malware that still hasn't been publicly revealed. He hopes that more researchers digging into the software might lead to a better understanding of the NSA's view of its adversaries, and even potentially reveal some still-secret hacker operations today.

"The idea is to find out what the NSA knew, to find out the difference between the NSA viewpoint and the public viewpoint," says Bencsáth, arguing that there may even be a chance of uncovering current hacking operations, so that antivirus or other security firms can learn to detect their infections. "Some of these attacks might even still be ongoing and alive."

Rogue's Gallery

When the leaked version of Territorial Dispute runs on a target computer, it checks for signs of 45 different types of malware—neatly labelled SIG1 through SIG45—by searching for unique files or registry keys those programs leave on victim machines. By cross-referencing those so-called "indicators of compromise" with CrySys's own database of millions of known malware samples, Bencsáth was able to identify 23 of the entries on Territorial Dispute's malware list with some degree of confidence.

Bencsáth says SIG1, for instance, is the notorious Agent.btz worm that infected Pentagon networks in 2008, likely the work of Russian state hackers. SIG2 is malware used by another known Russian state hacker group, Turla. The last—and Bencsath believes, most recent—entry on the list is a piece of malware discovered publicly in 2014, and also tied to that long-running Turla group.

Other specimens on the list range from the Chinese malware used to hack Google in 2010, to North Korean hacking tools. It even checks for the NSA's own malicious code: The joint Israeli and NSA creation Stuxnet, used to destroy Iranian nuclear enrichment centrifuges around the same time, is labelled as SIG8. While the inclusion of the NSA's own malware on the list may seem strange, Bencsáth speculates it may have been included as an artifact from a time before tools like Stuxnet were widely known to be a US operation, to prevent low-level operators from distinguishing US malware used in classified operations beyond their security clearance from the malware of foreign countries.