A hacking group called The Shadow Brokers has once again come forward with an important leak, this time about the National Security Agency (NSA). The well-known hacking collective has leaked a number of elite NSA hacking tools to the internet. The powerful hacking tools were dumped on the web, along with evidence that appears to demonstrate that the NSA’s “Equation Group” hackers used them to penetrate banks.
The information that has been leaked by the notorious Shadow Brokers reveals that the NSA used the hacking software to access transactions coming to and from banks in both South America and the Middle East. The top secret hacking tools could be used to penetrate various Microsoft systems, according to the whistleblowers. The exploits are known as EternalBlue, EternalChampion, EternalSynergy, and EternalRomance.
The Shadow Brokers claim that the sudden release of these exploits is an act of retaliation for what they deem to be unacceptable and unnecessary force in Syria. A blog post from the Shadow Brokers on the popular website Medium starts as follows:
“Dear President Trump,
Respectfully, what the f*&k are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.”
It then goes on to specify that the US’s missile attack on a Syrian air base (in retaliation for the chemical attack the previous week) inspired the hacking collective to re-engage in what it considers to be political white hat hacking. The Shadow Brokers had previously gone quiet for several months, since Trump’s election.
In the blog post, the Shadow Brokers claim that they supported Trump on the campaign trail, but have quickly become disillusioned because he appears to be the “MIIC’s bitch.” The hackers admit that it is possible President Trump knows something that they don’t – and have asked him to come forward with a YouTube video that explains to his supporters what he knows and why he is behaving the way he is.
“Our Form of Protest”
For anti-Trump spokespeople (who believed that Trump would fare no better than Clinton), last week’s use of force appears to have been a direct vindication. CNN (usually Clinton-supporting) has done an about turn and started vocally supporting Trump for the first time.
On CNN’s New Day on Thursday, political analyst David Gregory said of Trump’s recent actions that, “If you look at Russia you see that he is actually doing some pretty sophisticated things here,” before adding that Putin was likely angry at Trump’s approval of a NATO expansion. This, alone, should raise eyebrows.
So far there has been a lack of transparent evidence from the Trump administration that clearly demonstrates Assad’s culpability for the chemical attack in north-western Syria.
According to Russian Foreign Minister, Sergei Lavrov, evidence is mounting that the attack may have been staged. That belief is somewhat supported by an MIT professor called Theodore Postol, who has written a six-page document that criticizes the US military’s official story of events.
For the Shadow Brokers, the US military’s show of force is just one of five points that the hackers feel are “good evidence” that Trump is betraying US voters.
Within the leaked documents are numerous PowerPoint and Excel files that (if proven to be real) demonstrate that the NSA penetrated EastNets. EastNets is a Dubai-based firm that facilitates transactions between banks using the international messaging and transfer service, Swift.
Swift is used by some 11,000 banks around the world to perform international transactions. In order to carry out those transactions, a Swift service bureau must be employed. EastNets is one of those bureaus, and is the biggest bank transfer service provider in the Middle East.
If the leaked documents are authenticated (and from the Shadow Brokers’ history it seems likely they will be) it means that the NSA is likely to have infiltrated computers at banks in Abu Dhabi, Dubai, the United Arab Emirates, Kuwait, Qatar, Syria, Yemen, and Palestinian territories.
Worrying for banks and Swift alike is that the Shadow Brokers also released what has been described as a “roadmap” of Swift’s back-end infrastructure. That data, could, in theory, be put to use by future cybercriminals wanting to penetrate those banking systems. The NSA has been heavily criticized for not informing Microsoft about the known vulnerabilities.
Shadow Brokers’ Biggest Leak Yet
The damning data dump is the most substantial leak about the NSA since Edward Snowden released his NSA treasure-trove back in 2013. On Friday, Snowden came forward on Twitter to describe the hacking tools as the “Mother Of All Exploits.”
That, of course, is a reference to the Massive Ordnance Air Blast (MOAB) bomb that the Trump administration dropped on Afghanistan last Thursday.
Patched Up Fast
Despite widespread annoyance that the NSA decided to sit on its knowledge about the Microsoft zero-days, the reality is that none of the exploits that were released by the hackers target current Microsoft products. That is because – according to a blog published on Friday night – Microsoft already issued a fix last month.
That timing seems highly suspicious, and suggests that perhaps the NSA had foreknowledge of the imminent leak. Another possibility is that the Shadow Brokers went to Microsoft so that the vulnerabilities could be patched in advance of this dangerous release.
The patches specified by Microsoft in its blog are numbered MS17-010, CVE-2017-0146, and CVE-2017-0147. The mystery about how Microsoft became aware of the vulnerabilities remains unknown for the time being.
The good news is that the updates mean that, for the majority of people, the exploits aren’t a cause for concern. However, many larger firms test updates before applying them en masse to company machines. That means that some firms could still be running behind, and might remain vulnerable to the now freely available exploits.
Not the First Time Swift Has Been Targeted
Swift has come forward to say that it doesn’t believe any of its systems have been penetrated:
“We have no evidence to suggest that there has ever been any unauthorised access to our network or messaging services.”
Matt Suiche, the founder of the UAE-based cybersec company Comae Technologie, says that once a hacker penetrates a Swift service bureau, the attacker has access to all of the bureau’s computers and transaction records. According to Cris Thomas, a security researcher at Tenable, it is likely that the NSA would have been using these vulnerabilities to attempt to ascertain how money was getting to terrorist organizations. In reality, however, the NSA could have been targeting just about anybody.
EastNets, the service bureau in question, has denied that it has suffered a hack. According to the firm, it has run a detailed analysis of its systems and has not detected an intruder. For now, the truth remains to be seen. No doubt a more detailed analysis will be necessary to figure out if there are any lasting fingerprints that point to an intrusion into bank systems. However, as last year’s hack of a Bangladeshi central bank proved, Swift is vulnerable to hackers and the repercussions can be massive.
Opinions are the writer’s own.
Title image credit: MatiasDelCarmine/Shutterstock.com