Recently, the Shadow Brokers published documents that—if legitimate—show just how thoroughly US intelligence has compromised elements of the global banking system. The new leak includes evidence that the NSA hacked into EastNets, a Dubai-based firm that oversees payments in the global SWIFT transaction system for dozens of client banks and other firms, particularly in the Middle East.
Swift, short for the Society for Worldwide Interbank Financial Telecommunication, is used by about 11,000 banks to transfer money from one country to another.
The leak includes detailed lists of hacked or potentially targeted computers, including those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen, and the Palestinian territories. Also included in the data dump, as in previous Shadow Brokers releases, are a load of fresh hacking tools, this time targeting a slew of Windows versions.
EastNets has denied that it was hacked. They state that « there is no credibility to the online claim of a compromise of EastNets customer information on its SWIFT service bureau. » But the Shadow Brokers’ leak seems to suggest otherwise:
For instance Shadow brokers released one spreadsheet that lists computers by IP address, along with corresponding firms in the finance industry and beyond, including the Qatar First Investment Bank, Arab Petroleum Investments Corporation Bahrain, Dubai Gold and Commodities Exchange, Tadhamon International Islamic Bank, Noor Islamic Bank, Kuwait Petroleum Company, Qatar Telecom and others.
Those IP addresses don’t actually correspond to the client’s computers, says Dubai-based security researcher Matt Suiche, but rather to computers servicing those clients at EastNets, which is one of 120 “service bureaus” that form a portion of the SWIFT network and make transactions on behalf of customers. “This is the equivalent of hacking all the banks in the region without having to hack them individually,” says Suiche, founder of UAE-based incident response and forensics startup Comae Technologies. “You have access to all their transactions.”
While the Shadow Brokers’ releases have already included NSA exploits, this leak is the first indication of targets of that sophisticated hacking in the global banking system. Unlike previous known hacks of the SWIFT financial network, nothing in the leaked documents suggests that the NSA used its access to EastNets’ SWIFT systems to actual alter transactions or steal funds.
Instead, stealthily tracking the transactions within that network may have given the agency visibility into money flows in the region—including to potential terrorist, extremist, or insurgent groups.
SWIFT aside, the leak also contains NSA hacking tools or “exploits,” including what appear to be previously secret techniques for hacking PCs and servers running Windows. Matthew Hickey, the founder of the security firm Hacker House, analyzed the collection and believes there are more than 20 distinct exploits in the leak, about 15 of which are included in an automated hacking “framework” tool called FuzzBunch.
The attacks seem to target every recent version of Windows other than Windows 10. “There are exploits here that are quite likely zero days that will let you hack into any number of servers on the internet,” says Hickey. “This is as big as it gets. It’s internet God mode.”
However, Microsoft stated that the company had previously patched all the vulnerabilities in Windows that the hacking tools exploited and that the Shadow Brokers have already been addressed by previous updates to their supported products. Several of the exploits do still work, but only on versions of Windows prior to Windows 7.2.