Although the initial leak of NSA cyberweapons by the Shadow Brokers occurred in August 2017, the fallout continues as new research uncovered an NSA tracking program designed to gather data on nation-state hacking groups.

A research team led by Boldizsár Bencsáth in the Laboratory of Cryptography and System Security (CrySyS Lab) at the Budapest University of Technology and Economics in Hungary, found NSA tracking tools created by the agency's Territorial Dispute team. Bencsáth's team found evidence that the NSA was tracking 45 malware attacks by advanced persistent threats (APT).

According to a report by The Intercept, which obtained the research prior to its official reveal at the Kaspersky Security Analyst Summit on March 9, the NSA tracking program aimed to gather information by infecting the same target system as an APT to understand not only when and who threat actors will attack but to find out what was being stolen in real time.

The NSA tracking tools included instructions to abandon a target system if there was too much risk of being discovered, including when the agency came across unknown malware, as well as instructions to seek help when known malware or "friendly tools" were discovered.

Satya Gupta, co-founder and CTO at Virsec, a cybersecurity company headquartered in San Jose, Calif., said this was evidence of "the eternal dilemma of spying."

The surprising part is how much detail continues to be exposed by the Shadow Brokers, which continues to be an intelligence disaster. Satya Guptaco-founder and CTO, Virsec

"Staying undetected is critical to gathering ongoing intelligence, but if you don't act on the intelligence, there are risks of further damage. Given how elusive hackers are, it's understandable that [the NSA] didn't want to risk being exposed," Gupta told SearchSecurity. "This type of activity should not be a surprise and is likely widespread. The surprising part is how much detail continues to be exposed by the Shadow Brokers, which continues to be an intelligence disaster."

Leon Lerman, co-founder and CEO of Cynerio, a healthcare cybersecurity company headquartered in Tel Aviv, Israel, and other experts agreed this NSA tracking program was to be expected.

"I'm sure other countries have similar operations running to be able to identify interesting targets they should pay closer attention to and get better understanding of the tools other hackers are using to potentially improve their own tools," Lerman told SearchSecurity. "We have seen in several examples in the past, 'new' nation-state agency hacking tools were just an upgrade or a different variation of an already known malware."