CrySyS Lab has provided a great document on its analysis on NSA’s perspective on the APT landscape. The analysis is based on Shadow Brokers leak (“Lost in Translation” leak) and most specifically on the module called “Territorial Dispute“. The purpose of this module is to detect presence of competing state intelligence services. NSA wanted to secure its operations, avoid any conflict between “Five Eyes” group as well as get intelligence on the targets of the competing state intelligence services.

See below some interesting points related to the analysis done by CrySyS Lab:

– There are signatures of 45 different types of APT malware – labelled SIG1 through SIG45. The signature numbering appears to be in chronological order (not confirmed).

-First signatures are related to Russian attributed operations and actors. Agent.BTZ (SIG1) and Turla (SIG2) are indicative of its early focus on Russian attributed operations.

– Widespread dissemination of Eternal Blue exploit (used by WannaCry). The NSA’s tools in Shadow Brokers leak are dated back to 2013 while the exploit became public in 2017.

– Stuxnet signatures are included. Stuxnet started to spread uncontrollably and this could be some kind of cleanup efforts. Stuxnet was also highly classified within NSA and thus operators had specific instructions upon its detection.

– Analysis contains signatures that have not been publicly identified. NSA has been tracking campaigns and actors not currently known and discovered.

– According to the Intercept,  the NSA Territorial Dispute was tracking the Dark Hotel APT group at least since 2011. This APT group was first uncovered by Kaspersky Lab in 2014.

– CrySyS Lab’s analysis identified 5162 possibly related samples and FPs should be expected.

– In the signatures, one can find indicators for the below APT groups/operations: Agent.BTZ, Turla, ShipUp, Snake/Uroburos, GhoTex, Stuxnet, Flame, miniFlame, Spuler, SunFlower/Chesire Cat/ Flowershop, MoonFlower, AnimalFarm, Aurora/Hydraq, Turla (Epic Turla), Dark Hotel, Rotinom, Exforcel, Duqu, Stuxnet/Duqu, IronTiger_ASPXSpy, Teamspy, Sednit/Sofacy.

– Related pulses found in AlienVault (OSINT) based on the hashes of the Crysys analysis report: Cheshire cat, APT – Waterbug Group, Threats to Lithuania (2014), Epic Turla Crysys Labs (2014), The Waterbug attack group (2016), Stuxnet Dossier (2010), APT28 collection of samples including OSX XAgent, Turla / Pfinet / Snake/ Uroburos (2014), WannaCry Indicators, WannaCry Ransomware – May 2017, Wanacry IOCs, WannaCry linked Lazarus indicators, Startpage malware on Metadefender.com, Msil malware on Metadefender.com, IoCs from ThreatConnect

– CTI analysts with access to a powerful TIP (e.g. MISP) are advised to import the provided hash samples and conduct the relevant analysis. The synonyms table of the MISP threat-actor galaxy will definitely help.

References

Original article and report: https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/

Original list of hash samples : https://www.crysys.hu/files/tedi/sig_grouped_sample_list_2.txt

Hashes from the report in AlienVault (can lead to more related pulses): https://otx.alienvault.com/pulse/5aa25498cb896448aefe2f07

Related article: The Intercept: https://theintercept.com/2018/03/06/leaked-files-show-how-nsa-tracks-other-countries-hackers/

Related article: Wired: https://www.wired.com/story/nsa-leak-reveals-agency-list-enemy-hackers/