Security Experts:

Connect with us

Hi, what are you looking for?



NSA Used Simple Tools to Detect Other State Actors on Hacked Devices

NSA uses simple tools to detect friendly parties and adversaries on hacked devices

NSA uses simple tools to detect friendly parties and adversaries on hacked devices

An analysis of leaked tools believed to have been developed by the U.S. National Security Agency (NSA) provides a glimpse into the methods used by the organization to detect the presence of other state-sponsored actors on hacked devices, and it could help the cybersecurity community discover previously unknown threats.

Over the past few years, a mysterious hacker group calling itself Shadow Brokers has been leaking tools allegedly created and used by the Equation Group, a threat actor widely believed to be linked to the NSA. The Shadow Brokers have been trying to sell Equation Group tools and exploits, but without much success. They say their main goal has been to make money, but many doubt their claims.

One of the sets of files leaked by the hackers last year, named “Lost in Translation,” includes a series of modules dubbed “Territorial Dispute.” Researchers at the Laboratory of Cryptography and System Security (CrySyS Lab) of the Budapest University of Technology and Economics in Hungary, who have been involved in the analysis of Duqu and other advanced persistent threats (APTs), have conducted an investigation and they determined that the Territorial Dispute tools are designed to detect the presence of other state-sponsored groups.

According to CrySyS, the tools are relatively simple; they search the targeted device for specific files, Windows registry entries, and other indicators of compromise (IoCs) associated with known APTs.

Other Equation Group tools leaked by the Shadow Brokers are designed to allow operators to check for the presence of more common malware, but the Territorial Dispute modules are more interesting as they focus on state-sponsored attacks. Researchers believe the goal of these tools is likely to avoid any conflict with friendly parties and also minimize the chances of the NSA’s own malware getting detected.

There are several aspects that make the Territorial Dispute tools interesting. One of them is the fact that while typically there are tens or hundreds of IoCs associated with state-sponsored threat groups, these tools only look for 1-5 indicators.

Experts speculate that the reason behind this decision is to provide operators as little information as possible and prevent them from knowing too much about an attack. This theory is reinforced by the fact that each of the 45 signatures used by the detection engine has a very generic name, specifically SIG1 through SIG45.

Researchers say that while this seems like a strange decision, they believe the NSA may have conducted an analysis and determined that there is a significant risk of misappropriation. Limiting the number of IoCs included in the tools could represent a way to lower the risk.

Experts also noticed that if certain files are identified, the operator of the Territorial Dispute tools is informed that the malware is friendly or receives instructions to pull back. The list of instructions and observations includes “seek help immediately,” “dangerous malware – seek help ASAP,” “friendly tool – seek help ASAP” and “unknown – please pull back.”

CrySyS has attempted to link the IoCs to known threat groups using public information available via Google and by comparing them to data from its own malware repository, which contains roughly 150 Tb of malicious binaries. This led to the discovery of thousands of malware samples.

The IoCs appear to target known APTs whose activities have been analyzed by the cybersecurity industry over the past decade, including APT28 (aka Sofacy and Fancy Bear), Turla (aka Snake and Uroburos), Animal Farm, Duqu, Stuxnet, Flame, TeamSpy, Elderwood Group (Operation Aurora), Iron Tiger, and Dark Hotel, which have been linked to Russia, France, the United States, Israel, South Korea, and China.

While many of the IoCs are associated with known groups, there are also some indicators that researchers have not been able to link to any threat actor. This suggests that the NSA may be aware of attacks and attackers that are not known to the public.

Boldizsár Bencsát, one of the experts involved in this research, told SecurityWeek that the threat corresponding to the SIG32 signature could be a previously unknown APT. Searching Google for one of the SIG32 indicators of compromise points to a Trend Micro threat encyclopedia entry for a piece of malware first detected in 2010. However, there is no indication that this malware has been known to be used by state-sponsored hackers.

“We think that careful analysis of the leaked material and cross-checking with public information and malware databases can reveal interesting, previously unknown information about the APT scene,” Bencsát said. “Also, we can possibly get a better understanding about the knowledge of governmental organizations on these attacks.”

CrySyS does not exclude the possibility that – since these tools have been publicly available for nearly a year – others used these indicators of compromise to uncover previously unknown APTs. Furthermore, while the IoCs are limited, they can turn out to be useful for obtaining more information on a threat group and making connections between attackers, their operations and their tools.

Bencsát will detail this research on Friday at Kaspersky Lab’s Security Analyst Summit (SAS) in Cancun, Mexico.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet