Published on April 15th, 2017 | 1,548 views
SHADOWBROKERS EXPOSE NSA ACCESS TO SWIFT SERVICE BUREAUS
The NSA used exploits to target two SWIFT Service Bureaus in order to access banking data from a number of financial institutions in the Middle East. The access was likely used to monitor funding for terrorist operations, experts said today as analysis continues of the @theshadowbrokers/lost-in-translation” target=”_blank” rel=”external nofollow” title=”latest ShadowBrokers dump” class=”wp-links-icon”>latest ShadowBrokers dump of Equation Group hacking tools.
The dump came early Friday and has had researchers busy digging deep into the array of not only SWIFT-related hacks, but also tools to compromise Windows systems, as well as a number of presentations and documentation for other tools.
Today’s release came six days the clandestine group exposed a number of UNIX-based hacks and documentation aimed at exploiting enterprise and business-critical servers worldwide.
“In this case, if Shadow Brokers claims are indeed verified, it seems that the NSA sought to totally capture the backbone of international financial system to have a God’s eye into a SWIFT Service Bureau — and potentially the entire SWIFT network,” said researcher Matt Suiche in a blog posted today explaining @msuiche/the-nsa-compromised-swift-network-50ec3000b195″ target=”_blank” rel=”external nofollow” title=”his analysis” class=”wp-links-icon”>his analysis of the data dump. “This would fit within standard procedure as a covert entity entrusted with covert actions that may or may not be legal in a technical sense.”
SWIFT, meanwhile, said its infrastructure was not compromised.
“There is no impact on SWIFT’s infrastructure or data, however these we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties,” a SWIFT representative told Threatpost.
SWIFT Service Bureaus are third-party service providers that manage and host connections to SWIFTNet for financial institutions wishing to connect to the network, but choosing to outsource those operations. SWIFT said that service bureau services including sharing, hosting, or operating SWIFT connectivity components, and logging on, or managing sessions or security for SWIFT users.
The SWIFT-related archives were called JEEPFLEA and contains credentials and the architecture of EastNets, the Middle East’s largest SWIFT Service Bureau, Suiche said.
Suiche explained these bank transactions are handled on an Oracle database running SWIFT software. The archive includes tools used by the NSA to take data from the Oracle installation, including a list of users and SWIFT message queries, Suiche said.
EastNets, which also provides anti money-laundering and antifraud services, was a NSA target in the region and documents in the archive show credentials, account information and admin account information. In a statement on its website, EastNets CEO and founder Hazem Mulhim said there is no credibility to the claims its services were compromised.
“The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded. The EastNets Network internal Security Unit has ran a complete check of its servers and found no hacker compromise or any vulnerabilities. The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013.
“While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way, EastNets continues to guarantee the complete safety and security of its customers data with the highest levels of protection from its SWIFT certified Service bureau.”