Leak suggests NSA was interested in hacking Middle Eastern banks

Leak suggests NSA was interested in hacking Middle Eastern banks
© Getty Images

National Security Agency (NSA) files leaked by a hacker or hackers known as the Shadow Brokers appear to show that the agency hacked a bank transactions network as a conduit to hack a slew of Middle Eastern banks. 

The Shadow Brokers released their latest and most substantial trove of documents early Friday morning. The group has been leaking apparently authentic NSA cyber weaponry since August. 

The files include substantial documentation of a project to hack a Middle Eastern banking service providing access to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, which banks use to request transfers.

Hacking that provider would give the NSA the ability to trace money flowing to and from around 30 banks using the service. 

But maps of network architecture found in the SWIFT documents and spreadsheets listing banks "that are of interest" and "servers that have been implanted" suggest that the end goal might have been hacking specific banks.  

"Instead of hacking the front facing network where all the defenses are, the NSA could get them through the less secure SWIFT network," said Dan Tentler, founder of the Phobos Group, who is one of a handful of researchers currently reading through the Shadow Brokers documents.

The SWIFT service bureau, EastNet, appears to have made network design choices that reduced security and would make it easy to attack all of the banks attached to the network, said Tentler. All of the banks appear to have their own server connected to each other over the same block of internet addresses, with some ability to locate and communicate with other servers. Essentially, with access to one EastNet server, the NSA could discover and attack the other servers. 

"This is a dumpster fire," said Tentler.


The spreadsheet indicates that the NSA was interested in Al Hilal Islamic Bank, Al Quds Bank for Development and Investment, Arab Petroleum Investments Corporation-Bahrain, Arcapita Bank, the Dubai Gold and Commodities Exchange, Kuwait Petroleum Corp., Kuwait Fund for Arab Economic Development, Masraf Al Rayan, Noor Bank, Palestine Investment Bank, the Palestine Monetary Authority, Qatar First Investment Bank, Rasmala Investment Bank, Shamil Bank of Yemen and Bahrain, Tadhamon International Islamic Bank, United Bank and a few shared servers. 

Of those, the spreadsheet indicates the NSA successfully "implanted" Noor, Tadhamon, Arcapita, Al Quds and Kuwait Fund for Arab Economic Development, and was collecting data. 

The Shadow Brokers documents also contained a large quantity of previously unknown hacking techniques that could be used on Windows 8 and earlier versions of Windows that many worry will be co-opted by malicious hackers.

In a statement about the Shadow Brokers leaks, Microsoft wrote, "We are reviewing the report and will take the necessary actions to protect our customers."

The Shadow Brokers tried for many months to sell the stolen NSA documents, periodically releasing sample documents. Those included lists of NSA staging servers and new vulnerabilities in security hardware from Cisco, Juniper Networks and other manufacturers. The Intercept matched a unique tracking code in one of the document dumps to a previously unreleased document from Edward Snowden's NSA leaks, providing credibility for the Shadow Brokers wares. 

This current leak, the second in the past week, came with a note offering the government a chance to silence the Brokers before they released any more information by purchasing the leaks.

Correction: An earlier version of this story said researchers at Qualys had found one of the hacking techniques released in the Shadow Brokers leaks worked on Windows 10. Qualys has since announced it has been unable to reproduce its earlier finding. Updated at 11 p.m.