Documents Show NSA Hacked SWIFT Service Provider

The US’ National Security Agency (NSA) used unpatched firewall and Windows flaws to access the systems of service providers linked to the SWIFT international money-transfer network, according to files and documents published on Friday.

The material disclosed by hacking group Shadow Brokers, and allegedly obtained via a breach of the NSA’s systems, also included information on a number of Windows vulnerabilities, but Microsoft said most of those bugs were patched last month.

SWIFT targeted

Friday’s disclosure is likely to add to concerns about the security of the SWIFT network, following on from a major theft of funds from Bangladesh’s central bank in February of last year that involved fraudulent SWIFT transfers.

The release is the latest in a series by Shadow Brokers, and marks the first time the group has published something other than hacking tools.

According to a presentation file included in the release, the NSA breached a Dubai-based SWIFT service provider called EastNets and gathered information from it, security researchers said.

The NSA captured information including administrator passwords from EastNets’ databases in a 2013 mission called Jeepflea_Market, according to a presentation file and spreadsheet documents included in the release.

A second presentation document detailing a mission called Jeepflea_Powder describes efforts to access the systems of SWIFT service provider Business Computer Group (BCG), a business partner of EastNets based in Latin America, but says that as of 2013 the group hadn’t yet been breached.

Monitoring funds transfers

The NSA also aimed to penetrate the systems of individual banks, including Al Quds Bank for Development and Investment, based in Ramallah, Palestine, which according to the released documents used EastNets’ SWIFT transfer services.

In 2013 Al Quds Bank was using servers running Windows 2008 R2, which was vulnerable to exploits used by the NSA, the documents say.

The documents appear to indicate NSA efforts to directly monitor SWIFT providers’ activities in order to detect funds transfers by militant or criminal groups, according to security researcher Matt Suiche.

“It seems that the NSA sought to totally capture the backbone of the international financial system to have a god’s-eye into a SWIFT service bureau  – and potentially the entire SWIFT network,” he wrote in a blog post.

Belgium-based SWIFT said there was no evidence the main SWIFT network had been accessed without authorisation, but said it was possible the local messaging systems of some SWIFT client organisations may have been breached.

EastNets in a statement denied it had been hacked.

Windows exploits

The release also included a number of exploits targeting Windows, but Microsoft said in a statement late on Friday night that none of the issues involved affect fully patched versions of currently supported systems.

Microsoft said four of the 12 vulnerabilities had been patched in a regular monthly update in March, with another five patched in earlier updates.

The remaining three don’t affect supported systems, meaning Microsoft is unlikely to release fixes for them.

“Of the three remaining exploits… none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk,” Microsoft security group manager Phillip Misner said in a blog post. “Customers still running prior versions of these products are encouraged to upgrade to a supported offering.”

Security researchers noted that the March update including the fixes came a month after Microsoft took the unprecedented step of cancelling its February round of patches, suggesting the company knew the bugs were about to be disclosed and changed its patch schedule in order to respond.

Unusually, no sources are credited in the three patches that fix the NSA flaws, MS17-010, CVE-2017-0146, and CVE-2017-0147, and Microsoft declined to say who had supplied the information leading it to fix the issues, saying only that “no individual or organisation” had contacted it in relation to the flaws.

Do you know all about security in 2017? Try our quiz!