
Leaked Files Show How NSA Tracks Other Countries’ Hackers - etiam
https://theintercept.com/2018/03/06/leaked-files-show-how-nsa-tracks-other-countries-hackers/
======
badrabbit
> “It’s a big myth that there are thousands of [signatures] for any particular
> groups,” he notes. “These [TerritorialDispute] guys really focus on finding
> the two or three telltale signs that could lock you in [on an APT].”

I have a hard time accepting that. Sure,if it was a financially motivated
actor or common malware a few "high quality" indicators are all you need. But
APT actors know they are being tracked by their adversary using these same
indicators. It isn't difficult or costly for them to avoid reuse of
infrastructure and tooling. The few attribtions I looked at in detail require
a more speculative and somewhat imprecise correlation by humans as opposed to
clear and static indicators.

Please correct my ignorance if I am wrong.

EDIT: Security companies do use "thousands" of signatures and indicators to
find events that might possibly be associates with an APT group. Why is the
NSA special? That's what I can't accept. As good as the NSA is,multi billion
dollar security companies are not far behind (I would say some are even ahead
when it comes to defensive security)

~~~
spydum
APT groups have a set of tools, techniques, and processes (ttps) that they
use. They evolve over time, but generally consistent per APT group. It's maybe
dozens of methods and signature moves that teams use to attribute the actor.
Malware packages and so on leak data, c2 servers might get reused (or the way
the c2 was obtained might inform something). From the attacker point of view,
you don't change your methods if they are working.

However due to this, you are right: it's incredibly messy and attribution is
mostly bullshit. If you notice, it mostly warns the operator to seek help, so
others can try to confirm.

~~~
irundebian
You could actually say that from the attacker points of view, you should
change your methods permanently to avoid tracking / fingerprinting.

~~~
yjftsjthsd-h
Exactly; even individuals know that good opsec means changing your footprint;
why would full state actors not do so?

~~~
ryanlol
Because it would almost certainly diminish their offensive capabilities.

~~~
yjftsjthsd-h
I suppose considering the cost (time, money, effort) it would have to be used
somewhat carefully, but I would expect it to improve offensive capabilities to
be able to make attacks that don't look like you. But agreed that it would
have to be rationed out, in order to not lose ground in redoing things.

~~~
Kalium
Additionally, human beings are lazy. Getting people to stick to what look like
pointlessly complex processes is not a trivial matter.

------
jonathanstrange
When I read this (interesting) article, I was wondering whether there is any
free or commercial tool for detecting those _indicators of compromise_ on
GNU/Linux machines. I know rootkithunter, but that seems to be fairly weak
heuristically. Other tools like tripwire, on the other hand, are based on
snapshots and hashes and only monitor changes.

I'd be interested in a tool that can indicate suspicious kernel modifications,
USB drivers and other software that behaves in unusual ways without triggering
tons of false positives and independently of any certificates or whether the
software comes from a supposedly trusted repository. But AFAIK, there is not
even a key logger detection tool for Linux.

~~~
irundebian
I don't think that it makes sense in a technical point of view to try to
observe something if an attacker has already compromised your kernel. As soon
as this happens, there is nothing you can do, which is foolproof as long we
don't have kernels which are separating privileges within the system. If you
want to observer something you have to depend on a trust anchor. In most today
systems you don't have a trust anchor when the kernel is compromised.

------
excalibur
> It turns out those scripts and tools are just as interesting as the
> exploits. They show that in 2013 — the year the NSA tools were believed to
> have been stolen by the Shadow Brokers — the agency was tracking at least 45
> different nation-state operations, known in the security community as
> Advanced Persistent Threats, or APTs. Some of these appear to be operations
> known by the broader security community — but some may be threat actors and
> operations currently unknown to researchers.

Plot twist: Around 20 of them turn out to be separate clandestine programs
operated by the US Government.

~~~
boomboomsubban
One of the APTs links to Stuxnet, so probably yes.

~~~
meowface
Stuxnet is considered to be a joint project between Israel and the US, so it's
quite possible the APT group was Israeli.

------
yAnonymous
“They started to become concerned about sitting on a box with our tools and
there being other actors there that could steal or figure out what we were
doing.”

Seeing as they had all their tools stolen, that must have worked out really
well.

------
2close4comfort
Interesting to see Zetter writing for the Intercept again after a sizeable
absence...

~~~
boomboomsubban
Can't find anything about it but as she published little elsewhere I would
guess another book.

------
_n_b_
This seems like something completely sensible and even predictable for the NSA
to do.

~~~
ryanlol
You say this like it’s not obvious. Just because what they’re doing is OK
doesn’t make it uninteresting. There are lots of posts on HN about completely
sensible things.

Why does the NSA need defending this badly anyway?

~~~
chockZ
I think people are conditioned to associate "leaks" with "scandals"
(especially when it comes to the three letter agencies), when in actuality
this "leak" is just a revelation of completely reasonable and expected
activities.

~~~
ryanlol
Isn't it inherently scandalous for intelligence agencies to misplace this sort
of information?

~~~
jtbayly
Yes it is. As somebody above said, the news here is that they can’t keep
_anything_ secret.

------
jorblumesea
This is exactly what the NSA was designed to do. Why is the NSA doing its job
news?

~~~
latexr
The news isn’t that they’re doing it, but that the documents detail _how_ they
do it. Disclaimer: I haven’t read the article yet, I’m basing this on the
title.

------
knodi
As they should...

