An interesting research published this month reveals how the National Security Agency (NSA) quickly pulls back from its target machines if it spots any other malware dropped by threat groups. An array of tools called Territorial Dispute was apparently dropped by the Shadow Brokers along with the infamous EternalBlue exploit, however, it didn't receive much attention due to its non-offensive nature.
Territorial Dispute is designed to scan for malware of other nation-state backed hackers on a targeted computer. This custom antivirus tool wasn't intended to remove these spotted programs, but to warn the US hackers of an adversary's presence and, when appropriate, pull back from those computers. This was done not only to protect NSA's own malware and tricks from another state, but also to keep it away from exposure that could result from such an incident.
This tool carries a number of warnings instructing NSA operators what to do when they discover certain malware types or programs. From "DANGEROUS MALWARE - SEEK HELP ASAP" to "FRIENDLY TOOL - SEEK HELP ASAP," and "UNKNOWN - PLEASE PULL BACK" there are a number of warnings based on the type of malware.
Also known as TeDi, this tool gives a glimpse into the American cyber espionage campaigns and how the agency tries to limit exposure. While it doesn't mean that the US isn't involved in hacking attempts (as the country often seems to portray), this approach puts a focus on stealth that is in contrast to Chinese, North Korean, or Russian hackers who are often part of big ransomware and hacking campaigns and leave quite a few breadcrumbs behind to create a sense of fear in their adversary groups.
Territorial Dispute reveals agency's extensive list of enemy hackers - TeDi was tasked to offer "situational awareness for NSA hackers"
Hungarian security researcher Boldizsár Bencsáth revealed that TeDi - which is a collection of exploits and tools - checks for signs of 45 different types of malware that are associated with Chinese, Russian, and North Korean hackers among others. The list also includes some references that aren't yet publicly known potentially indicating that the agency has a far better view of its adversaries' capabilities than the cybersecurity industry or the public.
Referring to "intelligence sources," the Intercept reported that the NSA created this group (by the same name of Territorial Dispute) to work on a range of tools to spot presence of other APTs on their target machines.
This was done after hackers, that the agency believed were from China, stole sensitive data from US contractors in 2007. This TeDi team was expected to work on tools that could detect and counter nation-state attackers more quickly and follow what they were working on. They were also tasked to provide "situational awareness for NSA hackers" that could enable them to retreat from computers where another nation-state hacking group was discovered.
While this research sheds some light on how NSA tries to mostly keep its operations under wraps, it also brings the question of the agency putting user security at risk since they apparently knew about some devastating malware years before they came to public knowledge.
"If they knew so much more about the topic, I don’t know what they did to help," Bencsáth said. "If they don’t tell the industry what to protect against, it’s a problem."
- Complete details of APT groups and all the warnings are available here.