NSA malware source code

Hacking tools leaked last year and believed to belong to the US National Security Agency (NSA) contain an utility for detecting the presence of malware developed by other cyber-espionage groups.

This utility, going by the codename of "Territorial Dispute," is meant to alert NSA operators about the presence of other cyber-espionage hacking groups on a compromised computer and allows an NSA operator to retreat from an infected machine and avoid further exposure of NSA hacking tools and operations to other nation-state attackers.

Territorial Dispute overlooked because of EternalBlue

Despite being included in an archive that the Shadow Brokers leaked online last April, the nature of the Territorial Dispute utility has remained unknown until last week, when a group of Hungarian researchers described the tool in a report presented at the Kaspersky SAS security conference.

The main reason why the nature of the Territorial Dispute utility took so long to determine was because it was included in the same Shadow Brokers leak that also incorporated EternalBlue, the exploit used in the WannaCry ransomware outbreak, but also EternalRomance, EternalSynergy, FuzzBunch, and other top-shelf hacking tools.

Despite not being an offensive cyber-weapon, Territorial Dispute speaks volumes about the NSA's modus operandi. It's been well-known in infosec circles that US nation-state hackers don't operate as other cyber-espionage groups.

Because of its central position on the world political scene, the US has always put a focus on stealth in attempts to not sour diplomatic relations with hacked countries. This is the exact opposite compared to the constant noise coming out of Chinese and Russian activities.

Territorial Dispute looks for known IOCs

Under the hood, this utility works somewhat similar to an antivirus. The utility is triggered automatically every time a victim is infected with DanderSpritz, a post-exploitation framework leaked last year by the Shadow Brokers in the same data dump. Territorial Dispute runs automatically as part of a "survey" process part of DanderSpritz, Francisco Donoso, a security researcher who analyzed DanderSpritz last year, told Bleeping Computer.

Territorial Dispute will search files on the infected computer for file names and registry keys known to have been used by malware deployed by other nation-state hacking groups.

If there's a match, Territorial Dispute will send an alert to its operator. These alerts contain various types of recommendations —such as "please pull back," "seek help immediately," "seek help ASAP," "friendly tool," or "dangerous malware."

The Hungarian researchers who analyzed the malware believe NSA operators use the tool to detect both adversarial and friendly malware alike —such as hacking tools deployed by allied operations.

NSA aware of at least 45 other APTs

Territorial Dispute's internal list of file names and registry keys is also organized in 45 different categories, going from SIG1 to SIG45. Researchers believe each category is the internal name the NSA uses for other cyber-espionage groups.

The research team tried to link the indicators of compromise (file names and registry keys) from Territorial Dispute's internal list to publicly known IOCs from previous hacks and security reports.

They found that Territorial Dispute can detect malware deployed by cyber-espionage groups going by public codenames such as Turla, Fancy Bear, Duqu, Stuxnet, Flame, Dark Hotel, and other smaller groups.

They also detected IOCs that were not publicly known, meaning the NSA had most likely discovered nation-state hacking operations that had not been publicly analyzed until today. It's now up to the cyber-security industry to take this yet-unknown file hashes and track down what groups are using these never-before-seen tools.

For an exact list of what Territorial Dispute can detect from each cyber-espionage group, please refer to the research paper titled "Territorial Dispute – NSA’s perspective on APT landscape."

Article updated to correct the tool's mode of operation. A previous version of this article stated that the tool uses file hashes. It does not. It scans for file names and registry keys. Bleeping Computer regrets the error.

Related Articles:

New Cannon Trojan Is the Latest Asset of Sofacy APT Group