The Shadow Brokers published a cache Friday of supposed NSA documents, 23 executable hacking tools targeting Windows and perhaps most notably, evidence showing the secretive agency compromised offices connected to a global banking transaction system in order to spy on Middle Eastern banks.
The cache holds authentic NSA documents and contains legitimate information, according to former intelligence officials who spoke on condition of anonymity.
“TheShadowBrokers showing you cards theshadowbrokers wanting you to be seeing. Sometime peoples not being target audience. Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension,” a message written by the group reads.
After publishing and promoting leaked documents for several months, Friday’s release by the mysterious group is the first to contain NSA Powerpoint presentation slides — prior to today, only files released by NSA whistleblower Edward Snowden offered such material. One set of presentation slides discusses the classified”JEEPFLEA” program, which details the aforementioned surveillance effort on Middle Eastern banks.
Documents previously leaked by former Booz Allen Hamilton contractor Edward Snowden showed that JEEPFLEA was an NSA program led by the agency’s elite hacking team, Tailored Access Operations, or TAO.
Security researchers analyzing the data dump Friday morning said they believe this latest publication offers the most significant information of any previous Shadow Brokers’ revelation. Documents in the package date back to between 2008 and 2013. The Windows implants were not listed in the malware library website VirusTotal as of Friday morning, suggesting they’ve never been seen before in the wild.
Yet Microsoft released a blog post late Friday night saying they had released a number of patches over the last few years that rendered most of the leaked tools meaningless.
— Chris Bing (@Bing_Chris) April 14, 2017
A Microsoft spokesperson said the company had not been contacted by any “individual or organization” prior to Friday’s release regarding the software vulnerabilities that were exploited by the leaked hacking tools. It remains unclear when and how the tech giant first became aware of the flawed code.
“It shows that they have a lot more than what we originally thought,” said security researcher Matt Suiche, “the Shadow Brokers previously claimed this all came from a compromised NSA attack/staging server … you wouldn’t host presentation slides on an attack server, that doesn’t make any sense.”
CyberScoop previously reported that past Shadow Brokers publications suggested other documents had originally come from someone with access to internal NSA databases. The FBI remains involved in an active investigation concerning the leaks.
While the new documents do not specifically explain how the NSA was able to hack into EastNets, one of the largest SWIFT Service Bureaus for the Middle East, the evidence of a sweeping compromise is staggering as the cache includes credential information for thousands of employee and administrator accounts at offices across the Middle East.
It also appears as if the NSA targeted one of EastNet’s partners, Business Computer Group, that services Panama and Venezuela. Presentation slides suggested a compromise was planned but information relevant to an actual breach at BCG is not evident at least in this cache of files.
In theory, the U.S. intelligence community may have been interested in hacking into the EastNet and BCG in an effort to track financial connections to terrorist activity or the narcotics trade, based on the files’ timestamps evident.
Banks typically rely on service bureaus like EastNets for the internet infrastructure they provide to interact with SWIFT, an international computer network that acts as a ledger and enables financial institutions to send and receive information about financial transactions. The service bureaus themselves actively host and manage incoming banking data with Oracle Databases and suite of proprietary software tools.
Despite researchers sounding the alarm over the hacks, EastNets called the information “totally false and unfounded,” claiming that the dumped information is outdated.
“The EastNets Network internal Security Unit has run a complete check of its servers and found no hacker compromise or any vulnerabilities,” the statement reads. “The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013.”
Researchers pushed back on Twitter after the statement was published.
"The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks" pic.twitter.com/1nw6xF2ulc
— Kevin Beaumont (@GossiTheDog) April 14, 2017
"The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks" pic.twitter.com/Bmpc1jufML
— Kevin Beaumont (@GossiTheDog) April 14, 2017
Later Friday, SWIFT released a statement: “SWIFT is aware of allegations surrounding the unauthorised access to data at two service bureau. There is no impact on SWIFT’s infrastructure or data, however we understand that communications between these service bureaux and their customers may previously have been accessed by unauthorised third parties.”
In addition to evidence of the EastNets hack, the Shadow Brokers shared a set of reusable tools that could be used to directly extract information from the aforementioned Oracle-developed databases, which are employed by multiple offices.
The apparent leak is especially concerning because it effectively provides a playbook for what hackers need to know to attack SWIFT, according to Suiche, including information concerning the relationships that exists between different “Front-End/Middleware/Backend interfaces.”
“This is the first time to date that so much information had been published on how a SWIFT Service Bureau actually works and its internal infrastructure,” Suiche wrote in a blogpost, “all of that are very valuable information (such as infrastructure map, scripts, tools etc.) for an attacker.”
An NSA spokesperson did not respond to a request for comment.
Patrick Howell O’Neill contributed to this report.