Threat Management, Threat Intelligence, Network Security, Patch/Configuration Management, Vulnerability Management

New Shadow Brokers dump suggests NSA spied on Middle Eastern banks

The Shadow Brokers hacking group responsible for leaking tools and exploits purportedly linked to the U.S. National Security Agency dumped more stolen secrets on Friday, including evidence that the spy agency was likely monitoring the activity of Middle Eastern banks.

According to news reports and analysis from security researchers, the latest cache of files linked to the "Equation Group" – an APT group widely suspected to be the NSA – strongly suggest that the U.S. has been monitoring these financial institutions by hacking into the SWIFT banking messaging system through a third-party anti-money laundering and fraud prevention service called EastNets.

Belgium-based SWIFT, the Society for Worldwide Interbank Financial Telecommunication, operates a messaging system through which members can order the transfer of funds. This service has been notably abused in a recent series of high-profile cyberattacks launched against member banks, including a 2016 $81 million heist targeting the central bank of Bangladesh – an attack experts have attributed to state-sponsored North Korean hackers.

In this case, however, the Equation Group or NSA appears to have infiltrated SWIFT not to steal funds, but rather to keep tabs on member banks and how they move their money. "The SWIFT targeting of Dubai... is totally legit espionage, btw. That's a hub for lots of dodgy money flows," security researcher The Grugq commented in a tweet following the Shadow Brokers disclosure.

Specifically, the dump references the top-secret hacking campaigns JeepFlea_Market and JeepFlea_Powder, whose collective objective was to secretly collect data from SWIFT services, as well as details on how to hack into SWIFT banks through exploiting VPN edge gateways and internal Cisco firewalls. The cache also includes an apparent list of compromised financial institutions that rely on EastNets, including: Arab Bank (Syria), the Dubai Gold & Commodities Exchange (UAE), Noor Bank (UAE), Tadhamon International Islamic Bank (Yemen), Al Quds Bank for Development and Investment (Palestin), the Kuwait Fund for Arab Economic Development (Kuwait), Qatar First Investment Bank (Qatar) and Arcapita Bank (offices worldwide, including the U.S. and Bahrain). The list also included various oil corporations, including the Kuwait Petroleum Corporation and Gulf Investment Corporation (also Kuwait).

For its part, EastNets released a statement denying that a hacker group compromised its systems. "The EastNets Network internal security unit has [run] a complete check of its servers and found no hacker compromise or any vulnerabilities. The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks,' read the statement, attributed to company founder and CEO Hazem Mulhim. "The photos shown on Twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013." 

Security researchers on Twitter, however, were skeptical of EastNets' claims.

"Members of press, please challenge EastNet statements rather than simply reprinting. They're demonstrably untrue," twitted researcher Kevin Beaumont, who published a rundown of the latest Equation Group dump in a post on Medium.

NSA whisteblower Edward Snowden retweeted Beaumont, asserting that EastNets' systems were "inarguably and very seriously hacked."

In his a Comae Technologies blog post, researcher Matt Suiche said that if Shadow Brokers' claims are verified, "it seems that the NSA sought to totally capture the backbone of international financial system to have a God's eye into a SWIFT Service Bureau – and potentially the entire SWIFT network. "If the U.S. had a specific target in the region's financial system, NSA penetration offers redundancy and other options than merely relying upon good faith compliance procedures, standard diplomatic requests, or collaborating with SWIFT Service Bureau."

Suiche added that the nature of the NSA's alleged SWIFT hack was reminiscent of the Stuxnet worm that targeted Iran's nuclear enrichment program, in that both sought to gain complete unfettered access to the target's entire infrastructure using multiple zero-days.

Indeed, a report from Motherboard cited Symantec researcher Liam O'Murchu, who said that he discovered coding elements of the Stuxnet worm in the tools used to hack EastNets. In the article, O'Murchu specifically referenced an exploit tool for Windows' MOF files, which appears to be "almost the exact same script" used in Stuxnet – another powerful clue that the NSA is the agency whose tools are uncovered in the Shadow Brokers leak.

The document dump included multiple Microsoft Windows exploits, many of which appeared at first to be zero-days. However, on Friday Microsoft reported in a Friday blog post that of the 12 product vulnerabilities affected by the leaked exploits, nine were automatically patched prior to the trump, while the other three involved products that are no longer supported.

The timing of the patches -- most were issued on March 14, one month before Shadow Brokers made the exploits public -- caught the attention of the infosec community, which wondered if someone purposefully disclosed the hacks to Microsoft in advance of the dump. "Looks like Microsoft had been informed by 'someone,' and purposely delayed last Patch Tuesday" in order to successfully deliver a key patch" for an exploit nicknamed Eternal Blue, opined Suiche, referring to the fact the company had skipped its usual monthly update in February 2017.

However, in an email cited by several media outlets, Microsoft said that other than reporters, "no individual or organization, including the NSA, contacted the company about the vulnerabilities." Of course, if this is true, and the NSA knew that its Microsoft exploits were stolen, then this would mean the agency opted not to give the company (and its customers by proxy) advance warning that a collection of stockpiled zero-days fell into the wrong hands.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.