Thursday, March 08, 2018
When the NSA hacks machines in Iran, Russia, China, and elsewhere, its operators want to know if foreign spies are in the same machines because these hackers can steal NSA tools or spy on NSA activity in the machines. If the other hackers are noisy and reckless, they can also cause the NSA's own operations to get exposed. So based on who else is on a machine, the NSA might decide to withdraw or proceed with extra caution.
In fact, it's not uncommon to find multiple advanced persistent threat groups on high-value systems. In March 2014, Kaspersky Lab discovered multiple groups on a machine at a research institute in the Middle East that Kaspersky dubbed the "Magnet of Threats"; in addition to Regin, believed to be a British spy kit, they found the NSA's Equation Group malware, as well as modules belonging to Flame, believed to be an Israeli operation; Animal Farm, believed to belong to French intelligence; Careto (or Mask), believed to be a Spanish-speaking nation-state group; and Turla, a Russian-speaking group.
In the case of hacking tools belonging to the close U.S. allies in the "Five Eyes" group that includes the United Kingdom, Canada, Australia, and New Zealand, it's likely looking for these for deconfliction purposes, so that parties with mutual interests aren't running into each other on the same machines. But in the case of Stuxnet, one of the former intelligence officials said that signatures were added by the Territorial Dispute team in 2010 after Stuxnet had begun to spread uncontrollably -- spreading that led to its discovery and public exposure.
"There were cleanup efforts," the official said.
Admin's note: Participants in this discussion must follow the site's moderation policy. Profanity will be filtered. Abusive conduct is not allowed.