Clearly the existence of a number of hacking tools NSA developed to track hackers of other countries

byIlya Pavlov

The hacking tool from which the malware "Wanna Cry" which was popular all over the world was born is a mysterious hacker organization "Shadow Brokers"ButUS National Security Agency(NSA)It is said to have stolen from. Shadow Brokers is leaking the tool stolen from the NSA before the WannaCry epidemic on the net, but at this time many security researchers have noticedZero-day attackIt was a tool that can do. However, some of the hacking tools that Shadow Brokers stole from the NSA are other than those aimed at zero day attacks, others have infected computers of other countries' hackers for monitoring.

Leaked Files Show How the NSA Tracks Other Countries' Hackers
https://theintercept.com/2018/03/06/leaked-files-show-how-nsa-tracks-other-countries-hackers/

From the leaked hacking tools and scripts, it is clear that in 2013, when hacking tools were stolen by Shadow Brokers, the NSA was tracking the movements of hackers in at least 45 countries. These hackersAPT attackAlthough some activities are widely known in that field, activities that do not even know even researchers are said to have been seen.

Team named Territorial Dispute (TeDi) of NSA was making the leaked hacking tool. According to sources, NSA was founded in 2007 as a hacker seen from China was thought to have stolen fighter design and confidential information from American military agencies. TeDi is a team to detect and counterattack immediate attacks from other countries, detects hacking in real time and tells NSA hackers that "other hackers are just about to hack now" goal I am doing.

When NSA hackers hack computers like Iran · Russia · China etc, NSA hackers want to know if there are multiple hackers on the same computer. On the other hand, hacking subjects can become more cautious if there are multiple hackers in the computer, because they can steal the NSA side tool, monitor the behavior, and in some cases, let the NSA's behavior flow to the outside It is because it is necessary. Hacking tools have been developed that "what is not known to others" is the most important, and at the same time, you can know "what your opponents are stealing".

byHirohiroshiro

One of the tools TeDi used was to identify the perpetrator from the "Indicator of Compromise / IoC" left by the perpetrator who made the APT attack. Some researchers gather a large amount of IoC to identify hacker groups, but according to anonymous NSA officials, it is said that NSA uses about 2 to 5 IoCs to identify the criminal. "It is a big mistake that there are thousands of traces of a particular group, the TeDi members concentrate on finding a few traces to identify the culprit of APT attacks," the official said I talked.

Although the NSA has kept the database of IoC, since the existence of the group was described only in the form of "Sig 1" "Sig 2" in the leaked material, researchers were tracking by NSA as of 2018 We are investigating to identify hacker groups and malware. This survey makes it possible to clarify threats which are not yet known and to devise countermeasures.

Among them, one group of hackers that NSA was tracking was a group called Dark Hotel. Dark Hotel targets European hotels used by participants in Iran's nuclear development negotiating meeting in 2014, and when important people used wireless LAN at hotel, it looks like an update to Adobe Flash and makes a backdoor It was decided that the name was known by carrying out the attack of putting on. However, NSA is believed to be tracking some of the tools they were using from 2011, three years before the security community notices Dark Hotel's activities.

Meanwhile, the NSA did tracking behavior not only for self-defense, but also to monitor what the foreign hackers are doing and what they are stealing. Hackers doing APT attacks sometimes use expensive systems, and in 2014 it is known that several groups use computers from Middle Eastern research institutions. The NSA's follow-up action also had the purpose to lighten the existence of these groups.

If there is an attack suspected by the APT group, the NSA will write it in the form of "Sig OO" in the database. Originally targeted by Chinese and Russian hacker groups, it is believed to have covered Israel and American groups over time. Among those written in the database, "Sig 25" is Malware of Dark Hotel "Tapaoux", "Sig 16" is "Isolated" by APT Group of IsraelFlame"," Sig 8 "is"StuxnetIt is to investigate the trace of the computer used for infection.

byBlake Connally

In some cases, the hacking tool may belong to the intelligence agency with which the agreement was made, in this case NSA adds "Sig ○" to the list and identifies the computer in order to avoid conflict It is considered. Also, as for Stuxnet, which is believed to have been cooperated by NSA and Israeli intelligence agency, it has been added to the list after showing spread in 2010, so stakeholders are "for removal work" It is. Since the existence of Stuxnet was confidential information that only a small number knows among government and NSA, investigation was done to prevent information leaked to the outside. The person in charge who performs the operation is ordered from the top "to check whether there is a hacking tool or malware", but since he is not told what it is for, the principal himself remains as a mystery He said he is doing work.