A group of Hungarian researchers found that the National Security Agency (NSA) was able to scan for and track nation-state threat groups when NSA workers were conducting operations inside other country's systems.
The research comes from the Laboratory of Cryptography and System Security, also known as CrySyS Lab, reported The Intercept. The tracking was accomplished using scripts that could spot other nation-state hackers that were inside the same machines as the NSA. The Intercept said CrySys found the NSA was able to track 45 foreign operations. This tracking ability were discovered among the trove of NSA documents spilled by The Shadow Brokers several years ago.
The Hungarians believe the scripts were originally developed to give an NSA team called Territorial Dispute insight into when the United States was being hacked, but the tools also had the ability to tell NSA agents when they and others were attempting to hack the same system. Knowing this enabled the NSA to quickly retreat before the other hackers could spot them or possibly steal the NSA hacking tools being used.
“The Territorial Dispute scripts use digital signatures to hunt APT actors. Such signatures act like fingerprints for hacking groups — they can include file names or snippets of code from known malware the advanced threat actors use repeatedly or particular changes the advanced hackers are known to make to a machine's core operating system settings,” The Intercept reported.