New leak suggests NSA penetrated Mideast banking networks
Raphael Sutter, AP, Apr 14 2017
PARIS — A new set of documents purportedly lifted from the NSA suggests that Pindo spies have burrowed deep into the Middle East’s financial network, apparently compromising the Dubai office of the anti-money laundering and financial services firm EastNets. The company said Friday the documents were dated and denied that any customer data had been affected. TheShadowBrokers, which startled the security experts last year by releasing some of the NSA’s hacking tools, has recently resumed pouring secrets into the public domain. In a first for TheShadowBrokers, the data include PowerPoint slides and purported target lists, suggesting the group has access to a broader range of information than previously known. Comae Technologies founder Matt Suiche, who has closely followed the group’s disclosures and initially helped confirm its connection to the NSA last year, said:
This is by far the most brutal dump.
In a blog post, he said it appeared that thousands of employee accounts and machines from EastNets’ offices had been compromised and that financial institutions in Kuwait, Bahrain and the Palestinian territories had been targeted for espionage. In a statement, EastNets said there was “no credibility” to the allegation that its customers’ details had been stolen. The company, which acts as a “service bureau” connecting customers to the financial world’s electronic backbone, SWIFT, said the ShadowBrokers documents referred to a “low-level internal server” that had since been retired and that a “complete check” of its systems had turned up no evidence of any compromise. The denial drew skepticism from those who’d reviewed the files. Kevin Beaumont, who was one of several experts who spent Friday combing through the documents and trying out the code, said:
Eastnets’ claim is impossible to believe.
He said he’d found password dumps, an Excel spreadsheet outlining the internal architecture of the company’s server and one file that was “just a massive log of hacking on their organization.” SWIFT, based in Belgium, released a less categorical statement, saying:
We understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties.
It said there was no evidence its own network had been compromised. Repeated messages seeking clarification from EastNets went unreturned. Beaumont said there was bad news in the release for Microsoft as well. He said the malicious code published Friday appeared to exploit previously undiscovered weaknesses in older versions of its Windows operating system, the mark of a sophisticated actor and a potential worry for many of Windows’ hundreds of millions of users. The opinion was seconded by Matthew Hickey of cyber-security company Hacker House. Hickey said in an email:
It’s an absolute disaster. I have been able to hack pretty much every Windows version here in my lab using this leak.
Microsoft said in a statement that it is reviewing the leak and “will take the necessary actions to protect our customers.” It declined to elaborate. The NSA, which did not respond to emails, has previously shown interest in targeting SWIFT, according to documents leaked by former intelligence contractor Edward Snowden, and Suiche said other documents in the release suggested an effort to monitor the world’s financial transactions that went beyond EastNets. He said:
I’ll bet it’s not the only SWIFT service bureau that’s been compromised.
Leak suggests NSA was interested in hacking Middle Eastern banks
Joe Uchill, The Hill, Apr 14 2017
NSA files leaked by a hacker or hackers known as the Shadow Brokers appear to show that the agency hacked a bank transactions network as a conduit to hack a slew of Middle Eastern banks. The ShadowBrokers released their latest and most substantial trove of documents early Friday morning. The group has been leaking apparently authentic NSA cyber-weaponry since August. The files include substantial documentation of a project to hack a Middle Eastern banking service providing access to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, which banks use to request transfers. Hacking that provider would give the NSA the ability to trace money flowing to and from around 30 banks using the service. But maps of network architecture found in the SWIFT documents and spreadsheets listing banks “that are of interest” and “servers that have been implanted” suggest that the end goal might have been hacking specific banks. Dan Tentler, founder of the Phobos Group, who is one of a handful of researchers currently reading through the Shadow Brokers documents, said:
Instead of hacking the front facing network where all the defenses are, the NSA could get them through the less secure SWIFT network.
The SWIFT service bureau, EastNet, appears to have made network design choices that reduced security and would make it easy to attack all of the banks attached to the network, said Tentler. All of the banks appear to have their own server connected to each other over the same block of internet addresses, with some ability to locate and communicate with other servers. Essentially, with access to one EastNet server, the NSA could discover and attack the other servers. Tentler said:
This is a dumpster fire.
The spreadsheet indicates that the NSA was interested in al-Hilal Islamic Bank, al-Quds Bank for Development and Investment, Arab Petroleum Investments Corporation-Bahrain, Arcapita Bank, the Dubai Gold and Commodities Exchange, Kuwait Petroleum Corp, Kuwait Fund for Arab Economic Development, Masraf al-Rayan, Noor Bank, Palestine Investment Bank, the Palestine Monetary Authority, Qatar First Investment Bank, Rasmala Investment Bank, Shamil Bank of Yemen and Bahrain, Tadhamon International Islamic Bank, United Bank and a few shared servers. Of those, the spreadsheet indicates the NSA successfully “implanted” Noor, Tadhamon, Arcapita, al-Quds and Kuwait Fund for Arab Economic Development, and was collecting data. The ShadowBrokers documents also contained a large quantity of previously unknown hacking techniques that could be used on Windows 8 and earlier versions of Windows that many worry will be co-opted by malicious hackers. In a statement about the Shadow Brokers leaks, Microsoft wrote:
We are reviewing the report and will take the necessary actions to protect our customers.
The ShadowBrokers tried for many months to sell the stolen NSA documents, periodically releasing sample documents. Those included lists of NSA staging servers and new vulnerabilities in security hardware from Cisco, Juniper Networks and other manufacturers. The Intercept matched a unique tracking code in one of the document dumps to a previously unreleased document from Edward Snowden’s NSA leaks, providing credibility for the Shadow Brokers wares. This current leak, the second in the past week, came with a note offering the government a chance to silence the Brokers before they released any more information by purchasing the leaks.
Correction: An earlier version of this story said researchers at Qualys had found one of the hacking techniques released in the ShadowBrokers leaks worked on Windows 10. Qualys has since announced it has been unable to reproduce its earlier finding. Updated at 11 pm.