{"id":90685,"date":"2017-04-24T12:00:34","date_gmt":"2017-04-24T11:00:34","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=90685"},"modified":"2017-04-15T18:09:23","modified_gmt":"2017-04-15T17:09:23","slug":"major-leak-suggests-nsa-was-deep-in-middle-east-banking-system","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/04\/major-leak-suggests-nsa-was-deep-in-middle-east-banking-system\/","title":{"rendered":"Major Leak Suggests NSA Was Deep in Middle East Banking System"},"content":{"rendered":"
\"\"<\/a>

A woman walks past a branch of Noor Islamic Bank along Khalid Bin Al-Waleed Road in Dubai. Reuters<\/p><\/div>\n

14 Apr 2017 – <\/em>For eight months, the hacker group known as Shadow Brokers has trickled out an intermittent drip of highly classified NSA data. Now, just when it seemed like that trove of secrets might be exhausted, the group has spilled a new batch. The latest dump appears to show that the NSA has penetrated deep into the finance infrastructure of the Middle East\u2014a revelation that could create new scandals for the world\u2019s most well-resourced spy agency.<\/p>\n

Friday [14 Apr] morning, the Shadow Brokers published documents that\u2014if legitimate\u2014show just how thoroughly US intelligence has compromised elements of the global banking system. The new leak includes evidence that the NSA hacked into EastNets, a Dubai-based firm that oversees payments in the global SWIFT transaction system for dozens of client banks and other firms, particularly in the Middle East. The leak includes detailed lists of hacked or potentially targeted computers, including those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen, and the Palestinian territories. Also included in the data dump, as in previous Shadow Brokers releases, are a load of fresh hacking tools, this time targeting a slew of Windows versions.<\/p>\n

\u201cOh you thought that was it?\u201d the hacker group wrote in a typically grammar-challenged statement accompanying their leak. There was speculation prior to this morning\u2019s release that the group had finally published its full set of stolen documents, after a seemingly failed attempt to auction them for bitcoins. \u201cToo bad nobody deciding to be paying theshadowbrokers for just to shutup and going away.\u201d<\/p>\n

SWIFT Action<\/strong><\/p>\n

The transaction protocol SWIFT has been increasingly targeted by hackers seeking to redirect millions of dollars from banks around the world, with recent efforts in India, Ecuador, and Bangladesh. Security researchers have even pointed to clues that a $81 million Bangladesh bank theft via SWIFT may have been the work of the North Korean government<\/a>. But the Shadow Brokers\u2019 latest leak offers new evidence that the NSA has also compromised SWIFT, albeit most likely for silent espionage rather than wholesale larceny.<\/p>\n

EastNets has denied that it was hacked, writing on its Twitter account<\/a> that there\u2019s \u201cno credibility to the online claim of a compromise of EastNets customer information on its SWIFT service bureau.\u201d But the Shadow Brokers\u2019 leak seems to suggest otherwise: One spreadsheet in the release, for instance, lists computers by IP address, along with corresponding firms in the finance industry and beyond, including the Qatar First Investment Bank, Arab Petroleum Investments Corporation Bahrain, Dubai Gold and Commodities Exchange, Tadhamon International Islamic Bank, Noor Islamic Bank, Kuwait Petroleum Company, Qatar Telecom and others. A \u201clegend\u201d at the top of the spreadsheet notes that the 16 highlighted IP addresses mean, \u201cbox has been implanted and we are collecting.\u201d That NSA jargon translates to a computer being successfully infected with its spyware.1<\/sup><\/p>\n

Those IP addresses don\u2019t actually correspond to the client\u2019s computers, says Dubai-based security researcher Matt Suiche, but rather to computers servicing those clients at EastNets, which is one of 120 \u201cservice bureaus\u201d that form a portion of the SWIFT network and make transactions on behalf of customers. \u201cThis is the equivalent of hacking all the banks in the region without having to hack them individually,\u201d says Suiche, founder of UAE-based incident response and forensics startup Comae Technologies. \u201cYou have access to all their transactions.\u201d<\/p>\n

Blowback<\/strong><\/p>\n

While the Shadow Brokers\u2019 releases have already included NSA exploits, today\u2019s leak is the first indication of targets of that sophisticated hacking in the global banking system. Unlike previous known hacks of the SWIFT financial network, nothing in the leaked documents suggests that the NSA used its access to EastNets\u2019 SWIFT systems to actual alter transactions or steal funds. Instead, stealthily tracking the transactions within that network may have given the agency visibility into money flows in the region\u2014including to potential terrorist, extremist, or insurgent groups.<\/p>\n

If that sort of finance-focused espionage was in fact the NSA\u2019s goal, it would hardly deviate from the agency\u2019s core mission. But Suiche points out that confirmation of the operation would nonetheless lead to blowback for the NSA and the US government\u2014particularly given that many of the listed targets are in US-friendly countries like Dubai and Qatar. \u201cA big shitstorm is to come,\u201d says Suiche. \u201cYou can expect the leadership of key organizations like banks and governments are going to be quite irritated, and they\u2019re going to react.\u201d<\/p>\n

Beyond EastNets alone, Suiche points to references in the files to targeting the Panama-based firm Business Computer Group or BCG, although it\u2019s not clear if the firm was actually compromised. Beyond its Twitter statement, EastNets didn\u2019t respond to WIRED\u2019s request for comment. WIRED also reached out to BCG and the NSA, but didn\u2019t get a response.<\/p>\n

Windows to the World<\/strong><\/p>\n

SWIFT aside, the leak also contains a cornucopia of NSA hacking tools or \u201cexploits,\u201d including what appear to be previously secret techniques for hacking PCs and servers running Windows. Matthew Hickey, the founder of the security firm Hacker House, analyzed the collection and believes there are more than 20 distinct exploits in the leak, about 15 of which are included in an automated hacking \u201cframework\u201d tool called FuzzBunch.<\/p>\n

“This is as big as it gets.” <\/em>— Matthew Hickey, Hacker House <\/strong><\/p>\n

The attacks seem to target every recent version of Windows other than Windows 10, and several allow a remote hacker to gain the full ability to run their own code on a target machine. \u201cThere are exploits here that are quite likely zero days that will let you hack into any number of servers on the internet,\u201d says Hickey. \u201cThis is as big as it gets. It\u2019s internet God mode.\u201d<\/p>\n

In a statement to WIRED, a Microsoft spokeperson wrote only, \u201cWe are reviewing the report and will take the necessary actions to protect our customers.\u201d If the released code does turn out include zero days, though, that would potentially leave millions of Windows users exposed until the company can pull together patches and release them to users.1<\/sup><\/p>\n

The Shadow Brokers, meanwhile, hinted in their release that they\u2019re not done creating trouble for the NSA yet. \u201cMaybe if all suviving [sic] WWIII theshadowbrokers be seeing you next week,\u201d the group\u2019s message concludes. \u201cWho knows what we having next time?\u201d<\/p>\n

Note:<\/strong><\/p>\n

1<\/sup>Updated 4\/14\/2017 12:15 EST to include comments from EastNets and Microsoft.<\/em><\/p>\n

______________________________________________<\/p>\n

More Leaks:<\/em><\/p>\n