When the still-unidentified group calling itself the Shadow Brokers spilled a collection of NSA tools onto the internet in a series of leaks starting in 2016, they offered a rare glimpse into the internal operations of the the world’s most advanced and stealthy hackers. But those leaks haven’t just let the outside world see into the NSA’s secret capabilities. They might also let us see the rest of the world’s hackers through the NSA’s eyes.
Over the last year, Hungarian security researcher Boldizsár Bencsáth has remained fixated by one of the less-examined tools revealed in that disemboweling of America’s elite hacking agency: A piece of NSA software, called “Territorial Dispute,” appears to have been designed to detect the malware of other nation-state hacker groups on a target computer that the NSA had penetrated. Bencsáth believes that specialized antivirus tool was intended not to remove other spies’ malware from the victim machine, but to warn the NSA’s hackers of an adversary’s presence, giving them a chance to pull back rather than potentially reveal their tricks to an enemy.
That means the Territorial Dispute tool might offer hints of how NSA sees the broader hacker landscape, argues Bencsáth, a professor at CrySys, the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics. In a talk on the leaked software at Kaspersky’s Security Analyst Summit later this week—and in a paper he’s planning to post to the CrySys website on Friday and asking others to contribute to—he’s calling on the security research community to join him in investigating the software’s clues.
‘Some of these attacks might even still be ongoing and alive.’
Boldizsár Bencsáth, CrySys
In doing so, Bencsáth hopes to determine which other countries’ hackers the NSA has been aware of, and when they became aware of them. Based on some matches he’s established between elements of Territorial Dispute’s checklist and known malware, he argues the leaked program potentially shows that the NSA had knowledge of some groups years before those hackers’ operations were revealed in public research. Since it also includes checks for some malware he hasn’t been able to match with public samples, Bencsáth believes the tool demonstrates the NSA’s knowledge of some foreign malware that still hasn’t been publicly revealed. He hopes that more researchers digging into the software might lead to a better understanding of the NSA’s view of its adversaries, and even potentially reveal some still-secret hacker operations today.
“The idea is to find out what the NSA knew, to find out the difference between the NSA viewpoint and the public viewpoint,” says Bencsáth, arguing that there may even be a chance of uncovering current hacking operations, so that antivirus or other security firms can learn to detect their infections. “Some of these attacks might even still be ongoing and alive.”
When the leaked version of Territorial Dispute runs on a target computer, it checks for signs of 45 different types of malware—neatly labelled SIG1 through SIG45—by searching for unique files or registry keys those programs leave on victim machines. By cross-referencing those so-called “indicators of compromise” with CrySys’s own database of millions of known malware samples, Bencsáth was able to identify 23 of the entries on Territorial Dispute’s malware list with some degree of confidence.
Bencsáth says SIG1, for instance, is the notorious Agent.btz worm that infected Pentagon networks in 2008, likely the work of Russian state hackers. SIG2 is malware used by another known Russian state hacker group, Turla. The last—and Bencsath believes, most recent—entry on the list is a piece of malware discovered publicly in 2014, and also tied to that long-running Turla group.
Other specimens on the list range from the Chinese malware used to hack Google in 2010, to North Korean hacking tools. It even checks for the NSA’s own malicious code: The joint Israeli and NSA creation Stuxnet, used to destroy Iranian nuclear enrichment centrifuges around the same time, is labelled as SIG8. While the inclusion of the NSA’s own malware on the list may seem strange, Bencsáth speculates it may have been included as an artifact from a time before tools like Stuxnet were widely known to be a US operation, to prevent low-level operators from distinguishing US malware used in classified operations beyond their security clearance from the malware of foreign countries.
Bencsáth believes that the specimens in the list appear roughly in chronological order, seemingly based on when each was first known to be deployed. If that ordering holds, he says, it suggests that the NSA may in some cases have known about different hacker operations years before those hacking campaigns were revealed in public research. A collection of malware known as “Cheshire Cat” is listed before the Chinese malware used in the 2010 attack on Google, and researchers believe elements of the campaign dates back as early as 2002. But that code was only revealed publicly in a talk at the Black Hat conference in 2015.
In another case, Territorial Dispute lists the malware known as Dark Hotel, believed to have been used by North Korean hackers to spy on targeted hotel guests as SIG25. If the chronology theory holds, that would place it it before Duqu, a piece of NSA malware discovered by Bencsáth’s own CrySys lab in 2011. That means the NSA may have kept knowledge of invasive North Korean malware under wraps for three years, even as it was used to target victims that included US executives and NGOs.
“If they knew so much more about the topic, I don’t know what they did to help,” Bencsáth says. “If they don’t tell the industry what to protect against, it’s a problem.” The NSA’s public affairs office didn’t respond to WIRED’s request for comment on Bencsáth’s research.
To be fair, the exact chronology of Territorial Dispute’s malware list is far from confirmed. Some entries on the list do seem to appear out of order. And even if the NSA did keep its knowledge of ongoing attacks secret, that would fit its usual modus operandi, says Matthew Suiche, the founder of security firm Comae Technologies, who has closely tracked the Shadow Brokers’ leaks. After all, the NSA keeps plenty of other secrets for the sake of preserving its capabilities, from zero-day vulnerabilities to the proof behind the US government’s attribution of hacker attacks to certain countries.
“It doesn’t surprise me they do the same thing with APTs,” says Suiche, using the industry jargon for “advanced persistent threats” to refer to state-sponsored hacking groups. “They don’t want the adversary to understand their actual capacity.” If analysis of Territorial Dispute does reveal the NSA’s secret knowledge of its adversaries, it could represent another blow to the NSA’s advantage of surprise over those adversaries—as with so many other of the Shadow Brokers’ leaks.
‘They don’t want the adversary to understand their actual capacity.
Matthew Suiche, Comae Technologies
But Suiche also notes limitations in the information that can be gleaned from the Territorial Dispute code. It only includes a few simple indicators of compromise for each type of malware and just 45 types, a vastly simpler collection of data than the average antivirus software—a decision Suiche guesses may have been intended to make the tool more lightweight and less sensitive if it were discovered by an adversary. Like other Shadow Brokers leaks, it may also be a years-old piece of code. Bencsáth, for his part, says he’s not entirely sure of the freshness date on the NSA’s leaked software.
But even if it turns out to be years out of date, Territorial Dispute nonetheless contains evidence of some state-sponsored hacking operations that still haven’t been publicly identified, Suiche believes. “This definitely shows that the NSA is tracking APTs that still haven’t been discovered,” Suiche says, pointing to several of the entries on Territorial Dispute’s list for which he couldn’t find any public record.
By putting a call out for other researchers to crowdsource the problem of matching those Territorial Dispute entries with past malware samples, Bencsáth says he hopes it might just lead to the detection and blocking of state-sponsored hacking tools that the NSA has tracked for years—but that have remained secret for the rest of us.
“Maybe more public information would help us to defend against this type of stuff,” Bencsáth says. “It would be nice to uncover what’s in the file and tell antivirus vendors, please look at this.”