I should have spent the Easter weekend decorating, but ended up reading up about the Shadow Brokers, SWIFT, EastNets and the NSA leak. In this post i thought i would explain what it all means for corporates that use SWIFT, and in particular for those that connect to SWIFT using a SWIFT Service Bureau.
Shadow Brokers, SWIFT & the NSA – What Happened?
Shadow Brokers leaked a series of hacks developed by the NSA (National Security Agency):
- On Friday 14th April reports emerged that a hacking group known as Shadow Brokers had published security weaknesses and hacking methods that had been developed by the NSA’s Equation Group
The NSA used these hacks to infect a SWIFT Service Bureau (3 are believed to have been targetted) and monitor 9 banks (using implants):
- Where it gets interesting is that “apparently” the NSA used these hacks in 2013 to tap into a Middle East based SWIFT Service Bureau, EastNets, in order to monitor money flows between the Middle East and Latin America based banks
- At least 2 SWIFT Service Bureaus were attacked hacked and banks were also infected with “implants” – data gathering software
Many of the hacks and vulnerabilities only impact old versions of Windows, or become a risk if you tinker with the Windows Firewall or start remote desktop connections
- The above is something all corporate IT teams do!
- If nothing else: Ensure you’ve implemented the latest version of Windows, installed the latest software patches and have up to date settings on firewalls and any other protective software!
Take a read of the SWIFT and EastNets response to the Shadow Brokers leak of the NSA information
Shadow Brokers, SWIFT & the NSA – Who’s Who:
There are a few different folks involved in this one – following is a quick run down of who is who:
The Shadow Brokers (TSB)
- Wikipedia describe the group as a hacker group that formed in Summer 2016, and Matt Suiche describes them as an individual at the head of an organisation that trades in information, selling to the highest bidder (although in this instance, there were no buyers for this information and it was published for free!)
SWIFT
- Is a global member owned cooperative (mainly banks, financial institutions) that provides the plumbing through which funds/payments/financial reporting information is sent between its 11000 members across over 200 countries
National Security Agency (NSA)
- The intelligence unit of the United States federal government responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes
EastNets
- A global provider of compliance, payment and cloud solutions – and of course a SWIFT Service Bureau
What Exactly do the Leaked Files Reveal?
Unless otherwise stated, the following information highlighted by Matt Suiche reveals the NSA operation:
- Evidence that a SWIFT Service Bureau was hacked
- Window tools and reusable remote exploits to hack Windows, including no-longer supported versions of Windows
- FUZZUNCH – this is described as a hacking toolkit with plug and play code that can attack several versions of the Windows operating system – Ref: Motherboard
- Logs, excel files and top secret powerpoint documents
- Detailed information of the EastNets SWIFT Service Bureau technical setup, employee and administrator account information
- Information that a bank was running an old Windows version, which made it vulnerable to FUZZBUNCH
What’s the Big Deal?
Edward Snowden described the hack as:
The Mother Of All Exploits escaped from an NSA laboratory and is wrecking the internet. https://t.co/K1RqJeYIW5
— Edward Snowden (@Snowden) April 14, 2017
1. This is a BIG Deal and Will Potentially Increase SWIFT Related Hacks:
Security vulnerabilities and hacks that can be protected against continue to be threat, and in the wrong or right hands can wreak havoc
- It is conceivable that the NSA hacks published by Shadow Brokers could be re-used / adapted/enhanced by hackers to monitor SWIFT activity, submit wire payments, cover up any fraudulent activity as happened in the Bangladesh Bank fiasco
2. Right Now, there ain’t much Collaboration
Like i said in my post the other day, when it comes to cyber-security everyone talks about collaboration but then forgets to!
- In this case, the allegation is that NSA did not immediately report the various vulnerabilities to Microsoft – although Microsoft have issued a statement indicating that recent versions of Windows are protected and a recent update has addressed the other highlighted risks
3. What are the NSA Motives and How Many Other SWIFT Service Bureaus Are they “Monitoring”?
The Terrorist Finance Tracking Program (TFTP) established in 2001, following the 11th September terrorist attacks allowed the US to monitor SWIFT transactions – but the Edward Snowden revelations in 2013 raised concerns within the EU about the data protection and as a result the EU suspended the TFTP
- It is believed that the NSA hacks leaked by Shadow Brokers were implemented some time in 2013, and raise legal and moral questions about the intentions of the NSA – Ref: Forbes
4. How Credible is SWIFT’s Service Bureau Certification?
SWIFT is obviously heightening the integrity and security of its members through the SWIFT Customer Security Program, but it does somewhat make you question how well SWIFT has been historically evaluating and accrediting its SWIFT Service Bureaus
5. Hackers Now Have a SWIFT Service Bureau Blueprint:
The leaked information provides hackers with extremely valuable information – an overview of a SWIFT Service Bureau architecture and detailed analysis of the different interfaces between a SWIFT Service Bureau and their banks
- Sure each Bureau will have a different setup, but I imagine their connection to the SWIFT network will be very similar
References:
- Comae Technologies: ShadowBrokers: The NSA compromised the SWIFT Network
- BBC: US government ‘monitored bank transfers’
- ARS Technica: NSA-leaking Shadow Brokers just dumped its most damaging release yet
- GitHubGist: Overview Leaked Shadow Broker files
- The Register: Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8
- Steemit: The Shadow Brokers