When the mysterious entity known as the “Shadow Brokers” released a tranche of stolen NSA hacking tools to the internet a year ago, most experts who studied the material homed in on the most potent tools, so-called zero-day exploits that could be used to install malware and take over machines. But a group of Hungarian security researchers spotted something else in the data, a collection of scripts and scanning tools that the National Security Agency uses to detect other nation-state hackers on the machines it infects. It turns out those scripts and tools are just as interesting as the exploits. They show that in 2013 — the year the NSA tools were believed to have been stolen by the Shadow Brokers — the agency was tracking at least 45 different nation-state operations, known in the security community as advanced persistent threats, or APTs. Some of these appear to be operations known by the broader security community — but some may be threat actors and operations currently unknown to researchers. The scripts and scanning tools dumped by Shadow Brokers and studied by the Hungarians were created by an NSA team known as Territorial Dispute, or TeDi. Intelligence sources told The Intercept that the NSA established the team after hackers, believed to be from China, stole designs for the military’s Joint Strike Fighter plane, along with other sensitive data, from U.S. defense contractors in 2007; the team was supposed to detect and counter sophisticated nation-state attackers more quickly, when they first began to emerge online. “As opposed to the U.S. only finding out in five years that everything was stolen, their goal was to try to figure out when it was being stolen in real time,” one intelligence source told The Intercept. But their mission evolved to also provide situational awareness for NSA hackers to help them know when other nation-state actors are in machines that they’re trying to hack. The NSA could not immediately be reached for comment.

“Their goal was to try to figure out when it was being stolen in real time.”

When the NSA hacks machines in Iran, Russia, China, and elsewhere, its operators want to know if foreign spies are in the same machines because these hackers can steal NSA tools or spy on NSA activity in the machines. If the other hackers are noisy and reckless, they can also cause the NSA’s own operations to get exposed. So based on who else is on a machine, the NSA might decide to withdraw or proceed with extra caution. Indeed, there are a number of warnings and other comments among the Territorial Dispute data instructing operators what to do when they discover certain malware files of particular interest — “UNKNOWN – PLEASE PULL BACK” are the instructions to operators for one file; “DANGEROUS MALWARE – SEEK HELP ASAP” and “FRIENDLY TOOL – SEE HELP ASAP” apply to others. “They started to become concerned about sitting on a box with our tools and there being other actors there that could steal or figure out what we were doing. It was to avoid being detected,” a second intelligence official familiar with the program told The Intercept. The Territorial Dispute scripts use digital signatures to hunt APT actors. Such signatures act like fingerprints for hacking groups — they can include file names or snippets of code from known malware that the advanced threat actors use repeatedly or particular changes the advanced hackers are known to make to a machine’s core operating system settings. Such elements are called indicators of compromise, or IoC, by the security community. None of the advanced threat groups are identified in the NSA scripts by names commonly used for them by the research community — instead the NSA calls them Sig1, Sig2, etc. — but the Hungarian researchers have spent the last year going through the scripts to try to match them to known malware samples and advanced threat groups. They have also studied the sequence of signatures in the NSA’s numbered list to determine when the Territorial Dispute team added certain operations to the list and see if the NSA may have known about certain operations before the security community.



Laboratory of Cryptography and System Security, Ukatemi

In at least one case, involving a sophisticated hacking group known as Dark Hotel, believed to be from South Korea and targeting entities in Asia, it appears the NSA may have been tracking some of the group’s tools in 2011, about three years before the broader security community discovered them. “It raises questions … about whether the NSA should have leaked or published information about some of this unidentified stuff,” said Boldizsár Bencsáth, from the Laboratory of Cryptography and System Security, also known as CrySyS Lab. The research team, led by Bencsáth, includes colleagues from his lab and researchers from the Hungarian security firm Ukatemi. The CrySyS Lab is best known for its 2011 discovery of an Israeli spy tool called Duqu, believed to be created by some of the same Israeli hackers who were involved in developing the famous Stuxnet digital attack used to sabotage Iran’s nuclear program. Bencsáth’s team plans to release its findings about the NSA scripts this week at the Kaspersky Security Summit in Cancun, Mexico, in the hopes that other researchers will dig through the data to identify more of the advanced threat groups that the NSA is hunting. The team also hopes the information will help the community classify some malware samples and signatures that have previously been uncovered by the security community, but remain unattributed to a specific threat group because researchers don’t know to which advanced hacking group they belong. The team has only been able to definitively identify a handful of the advanced threat groups so far, with plausible guesses about many others. “Based on the current results, some attacks, samples, or even hundreds of samples will get to be identified as part of some APT attacks that [were] previously unknown or partially unknown,” the team’s report states. Bencsáth notes that in most cases the NSA used between two and five indicators of compromise for each threat group it was hunting, even though security researchers can generally amass dozens or, in some cases, even hundreds for a hacking group. One of the intelligence officials told The Intercept that the NSA only needs a few high-quality signatures to find an APT. “It’s a big myth that there are thousands of [signatures] for any particular groups,” he notes. “These [Territorial Dispute] guys really focus on finding the two or three telltale signs that could lock you in [on an APT].”

The F-35 Joint Strike Fighter. After Chinese hackers reportedly stole plans for the aircraft from a defense contractor, the NSA stepped up its efforts to detect nation-state hackers, sources told The Intercept. Photo: George Frey/Getty Images