Friday morning, the Shadow Brokers published documents that—if legitimate—show just how thoroughly US intelligence has compromised elements of the global banking system. The new leak includes evidence that the NSA hacked into EastNets, a Dubai-based firm that oversees payments in the global SWIFT transaction system for dozens of client banks and other firms, particularly in the Middle East. The leak includes detailed lists of hacked or potentially targeted computers, including those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen, and the Palestinian territories. Also included in the data dump, as in previous Shadow Brokers releases, are a load of fresh hacking tools, this time targeting a slew of Windows versions.
“Oh you thought that was it?” the hacker group wrote in a typically grammar-challenged statement accompanying their leak. There was speculation prior to this morning’s release that the group had finally published its full set of stolen documents, after a seemingly failed attempt to auction them for bitcoins. “Too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away.”
The transaction protocol SWIFT has been increasingly targeted by hackers seeking to redirect millions of dollars from banks around the world, with recent efforts in India, Ecuador, and Bangladesh. Security researchers have even pointed to clues that a $81 million Bangladesh bank theft via SWIFT may have been the work of the North Korean government. But the Shadow Brokers’ latest leak offers new evidence that the NSA has also compromised SWIFT, albeit most likely for silent espionage rather than wholesale larceny.
One spreadsheet in the release, for instance, lists computers by IP address, along with corresponding firms in the finance industry and beyond, including the Qatar First Investment Bank, Arab Petroleum Investments Corporation Bahrain, Dubai Gold and Commodities Exchange, Tadhamon International Islamic Bank, Noor Islamic Bank, Kuwait Petroleum Company, Qatar Telecom and others. A “legend” at the top of the spreadsheet notes that the 16 highlighted IP addresses mean, “box has been implanted and we are collecting.” That NSA jargon translates to a computer being successfully infected with its spyware.
Those IP addresses don’t actually correspond to the client’s computers, says Dubai-based security researcher Matt Suiche, but rather to computers servicing those clients at EastNets, which is one of 120 “service bureaus” that form a portion of the SWIFT network and make transactions on behalf of customers. “This is the equivalent of hacking all the banks in the region without having to hack them individually,” says Suiche, founder of UAE-based incident response and forensics startup Comae Technologies. “You have access to all their transactions.”
While the Shadow Brokers’ releases have already included NSA exploits, today’s leak is the first indication of targets of that sophisticated hacking in the global banking system. Unlike previous known hacks of the SWIFT financial network, nothing in the leaked documents suggests that the NSA used its access to EastNets or BCG’s SWIFT systems to actual alter transactions or steal funds. Instead, stealthily tracking the transactions within that network may have given the agency visibility into money flows within the region—including to potential terrorist, extremist, or insurgent groups.
If that sort of finance-focused espionage was in fact the NSA’s goal, it would hardly deviate from the agency’s core mission. But Suiche points out that confirmation of the operation would nonetheless lead to blowback for the NSA and the US government—particularly given that many of the listed targets are in US-friendly countries like Dubai and Qatar. “A big shitstorm is to come,” says Suiche. “You can expect the leadership of key organizations like banks and governments are going to be quite irritated, and they’re going to react.”