NSA Hides from Other ATP Malware


The US National Security Agency (NSA) uses hacking tools called “Territorial Dispute,” that will alert them if any machine they infected, is also infected by any other cyber-espionage groups.  When alerted, NSA operators will be able to exit such a compromised machine to prevent their own hacking tools from exposure to other state-sponsored attackers. Ironically, this fact came to light after hacking tools believed to be used by the NSA was leaked last year.

Eternal Blue Overshadowed Territorial Dispute

Although Territorial Dispute was in fact archived online in April 2017 by the Shadow Brokers, its exact characteristics only became known when it was reported at the Kaspersky SAS security conference by Hungarian researchers.

Territorial Dispute was overshadowed in the Shadow Brokers archive by more offensive cyber-tools like FuzzBank, EternalSynergy, and EternalRomance as well as EternalBlue, responsible for the WannaCry ransomware attacks.

Territorial Dispute opens a window on the way the NSA operates.  It emphasizes that the US espionage operations use unique strategies, a fact that has been common knowledge in the infosec community

While Chinese and Russian APT operations are constantly in the news, the US is very careful not to put a damper on its prolific international diplomatic relationships, so their focus is much more clandestine.

Territorial Dispute’s Espionage Scanner

Territorial Dispute is quietly infected on to remote systems, to scan the files almost like antivirus software would. It searches for known files and registry names employed by state espionage groups. The moment it detects a match, the operator will receive instant recommendations to abandon, to seek support immediately or ASAP and is informed whether the malware is “friendly” or “dangerous”.

According to the research analysts from Hungary, friendly tools used by allies and dangerous tools used by adversaries, are equally detected.

NSA Recognizes 45 Espionage Groups

According to researchers, the internal registry keys of Territorial Dispute listed as SIG1 to SIG45 signify the 45 other cyber-espionage groups the NSA are aware of.

When the researchers attempted to connect these indicators (registry keys, filenames) to data from previous hacks and reports, they managed to prove that Territorial Dispute can identify malware by known APT groups. Some of those known to the public are Dark Hotel, Turla, Fancy Bear, Flame, and Dark Hotel. Some lesser known and smaller groups were also linked.

The surprising news is, however, that the researchers also detected IOC’s as yet unknown to anyone outside the NSA.  Using Territorial Dispute, the NSA discovered new hacking operations, completely unknown to the cyber-security community.  To track down the groups using these tools is the next frontier for the industry to penetrate.

For details on Territorial Dispute’s reach, the research paper is available here “Territorial Dispute – NSA’s perspective on APT landscape“.