Three years and eight days ago, on April 14, 2017, a mysterious group of hackers known as the Shadow Brokers published a collection of hacking tools that ended up changing the internet forever.
Known as the “Lost in Translation” dump, this collection of files included tens of hacking tools and exploits stolen from the US National Security Agency (NSA), exploits that many believed the US was using to hack other countries.
Today, three years later, the most known file included in the leak is, by far, ETERNALBLUE, the exploit that was at the heart of the WannaCry and NotPetya ransomware outbreaks.
The sigs.py mystery
However, while ETERNALBLUE is the most recognizable name in the Shadow Brokers leak, there is one file that has haunted and fascinated the cyber-security community above any other.
Named “sigs.py,” this file is what many consider a treasure trove of cyber-espionage operations and threat intelligence.
The file is believed to be a simple malware scanner that NSA operators would deploy on hacked computers and use to search for the presence of other APTs (advanced persistent threats, a term used to describe nation-state hacking groups).
It contained 44 signatures to detect files (hacking tools) deployed by other hacking groups, numbered from #1 to #45, with #42 missing.
The file immediately captivated security researchers. Many realized that they weren’t even close to detecting as many APTs as the NSA was listing in the sigs.py file.
To this day, three years later, 15 signatures from the sigs.py file still remain without attribution, showing how the NSA still has superior insight into foreign hacking operations compared to many cyber-security vendors today.
However, today, in a presentation at the OPCDE virtual cyber-security summit, a security researcher has uncovered a new APT — the one sitting behind signature #37.
More precisely, the researcher corrected an incorrect attribution of signature #37 to Iron Tiger, a suspected Chinese-linked cyber-espionage group.
New Nazar APT believed to be operating out of Iran
Juan Andres Guerrero-Saade, a former security researcher at Kaspersky and Google, says that after identifying files linked to this signature, he believes signature #37 is actually for tracking a new hacking group altogether, which he believes might be based in Iran.
Guerrero-Saade said this cluster of activity is, so far, not connected to any publicly reported group, and dates back to 2008, although the group appears to have been more active between 2010 and 2013.
he researcher named this new group, the Nazar APT, based on a string found inside the malware.
Guerrero-Saade says that he was able to identify (with the help of an anonymous source) victims that are still infected with malware matching signature #37. He says victims are exclusively located in Iran.
“Interestingly, and I say this because the malware is so old, and it targets such old versions of Windows, Windows XP and down, there’s still victims beaconing out of Iran for this,” Guerrero-Saade said today in a live stream.
“Whenever everyone talks about Iran as an attacker, we start to think of Western victims […], whenever we think of Iranian targeting we tend to think of Western APTs,” he added.
“In this particular case, if we were to take all the attributive indicators at face value, it sort of defies that general perception in so far as we’re looking at maybe an Iranian born cluster of activity targeting what looks like exclusively Iranian victims.”
Guerrero-Saade plans to publish a more in-depth report on the Nazar APT later this week on his personal blog.
Among cyber-security experts, the hunt for the other 15 APTs mentioned in the NSA sigs.py file continues.
Below is a recorded stream of today’s OPCDE virtual summit.
Article updated shortly after publication to include link to Guerrero-Saad’s research, which went live sooner than announced.