NSA tracking program watched foreign hackers in action

Circle of Spies – the NSA and other Nation States Routinely Spy on Each Other

It might surprise most people to learn that their government actively spies on other nation state operations – and even breaks into private networks – to track advanced threat activity. In the US, the government agency doing this is the NSA, as revealed last month at the Kaspersky Security Analyst Summit.

The NSA’s spying activity was detected by a research team at the Laboratory of Cryptography and System Security (CrySyS Lab) at the Budapest University of Technology and Economics in Hungary, who learned the NSA was tracking 45 malware attacks known as advanced persistent threats (APTs). The method for such surveillance is to gain access to networks to observe active APT activity. To address the risk of discovery, invaders have a backup plan in place to quickly evacuate to avoid being discovered themselves.

The Shadow Brokers Increased Global Cyberthreats and Espionage

Cyberthreats circling the globe in the last year have worsened considerably, thanks in large part to the Shadow Brokers stealing highly sophisticated hacking tools from the NSA and releasing them into the Internet in 2016 for anyone to use. Much attention has been given to these stolen hacking tools, but much less attention paid to the collection of scripts and scanning tools also created by – and stolen from - the NSA, which were also released into the wild for anyone’s use. Their purpose is to detect the presence and actions of (i.e., spy on) nation-state hackers when they infect other machines and networks.

When spying, the NSA and other nation states are seeking to learn information about advanced persistent threats (APTs) and the threat actors carrying them out in real time. Along with seeking to learn about these APTs, the NSA likely also observes any private data that is targeted for theft.

Why Cyber Spy?

The objective behind these actions is that it’s better to know what your rivals and enemies are doing in real time in hopes of preempting a bad action rather than being blindsided later after the fact. The irony is that the Shadow Broker’s very theft of the NSA’s tools is precisely the type of event you’d have wanted to discover and preempt before the fact. Keeping your own expert spying tools out of your enemy’s hands would be priority one. But now, having all these tools at large greatly compromises the overall threat landscape. At the same time, and as a result, the ‘need to know’ has never been greater. Hence, the activity of cyber spying continues.

The Undercover Territorial Dispute (TeDi)

The name of the NSA team that created these scanning tools is The Territorial Dispute, or TeDi. They’ve been around since 2007 when they were set up after hackers assumed to be from China stole military fighter jet plans from the military.

When the NSA spies on machines in China, Russia, Iran and other countries, it wants to know which other spies may be present on the same machines so they can discover their activity but also avoid their own presence being detected and becoming the subject of any counter spying activity. Should the NSA fear exposure, they can quickly abandon ship, so to speak, or continue their reconnaissance with caution. Instructions for exiting or proceeding can be followed, depending on which scenario they encounter, with commands such as “Unknown – please pull back” or “dangerous malware – seek help asap.”

The TeDi relies on digital signatures, which act like hacker fingerprints, to track down the threat actors. Identifying elements such as file names or malware code snippets are revealing, and as such, are known by security analysts as “indicators of compromise” (IoC). The NSA uses its own simple naming convention, such as Sig1, Sig2. A Hungarian research team has studied and tried to match IoCs to malware samples and threat groups. They’ve also studied the NSA’s list of names in an effort to see what NSA may have known and when, and if it was in advance of public knowledge (ie, discovered as the result of spying). One example is a case where it appears the NSA was tracking a South Korean hacking group referred to as Dark Hotel, where the NSA seems to have information about them three years before the security community was aware of the group.

As much as this may sound like the material of spy novels, this kind of activity is carried out by most nation states. In 2014, Kaspersky Lab discovered the presence of so many groups on a machine at a research facility in the Middle East that they named the discovery “Magnet of Threats.” Among the many present, the following named discoveries are believed to be from these respective nation states: “Flame,” an Israeli spy operation, “Regin,” a British spy kit, “Animal Farm” French intelligence, “Careto (Mask)” from a Spanish-speaking nation state, “Turla” representing a Russian-speaking nation state, and malware from NSA’s own Equation Group, incidently, the same group that created the hacking tools stolen by the Shadow Brokers. Sounds like an international hacker’s masquerade ball. When a new attack was found or a new threat group suspected, the TeDi team developed and named APT signatures in sequential order (Sig1, Sig2, etc.- see table of names below).

Spying activities can raise a lot of questions including ethical ones, such as the ones posed in the movie “The Imitation Game.” With every country carrying their own agenda, the lines can quickly become blurred without easy answers about what is good or bad, dangerous or safe, or right or wrong. A lot is done in the name of protecting one’s own interests.

Secrets and Spies

In addition to tracking foreign threat actors in the interest of its own operations, the NSA also wants to know what nations are being stolen from and how, as well as find other desirable targets around the globe. The age-old clichés ‘knowledge is power’ and ‘forewarned is forearmed,’ are apropos here.

Despite all the leaks, thefts and breaches of information, confidentiality is still paramount. And that means sometimes the NSA doesn’t even inform some of its own people of the full details. For example, the TeDi team intervened in 2010 when it was feared Stuxnet (Sig8) would spread out of control, attempting a clean up. But the operation was so classified and risk of exposure so dangerous that even people working on the mission were kept largely uninformed about what they were working on.

All these activities continue today, by our country and most we could name, 24x7. And thanks to the Shadow Brokers dumping of the world’s most sophisticated hacking exploits, scripts and scanning tools, the dangers, risks and threats have never been greater.

Summary table of SIG marked attacks and timeline

Read full NSA watched foreign hackers in action article