|
Hacker documents show NSA
tools for breaching global money transfer system
Send a link to a friend
 [April 17, 2017]
By Clare Baldwin and Joseph Menn
HONG
KONG/SAN FRANCISCO (Reuters) - Documents and computer files released by
hackers provide a blueprint for how the U.S. National Security Agency
likely used weaknesses in commercially available software to gain access
to the global system for transferring money between banks, a review of
the data showed.
On Friday, a group calling itself the Shadow Brokers released documents
and files indicating NSA had accessed the SWIFT money-transfer system
through service providers in the Middle East and Latin America. That
release was the latest in a series of disclosures by the group in recent
months.
Matt Suiche, founder of cybersecurity firm Comae Technologies, wrote in
a blog post that screen shots indicated some SWIFT affiliates were using
Windows servers that were vulnerable at the time, in 2013, to the
Microsoft exploits published by the Shadow Brokers. He said he concluded
that the NSA took advantage and got in that way.
"As soon as they bypass the firewalls, they target the machines using
Microsoft exploits," Suiche told Reuters. Exploits are small programs
for taking advantage of security flaws. Hackers use them to insert back
doors for continued access, eavesdropping or to insert other tools.
"We now have all of the tools the NSA used to compromise SWIFT (via)
Cisco firewalls, Windows," Suiche said.
Reuters was not able to independently verify the authenticity of the
documents released by the hackers. Microsoft acknowledged the
vulnerabilities and said they had been patched. Cisco Systems Inc has
previously acknowledged that its firewalls had been vulnerable.
Cisco and the NSA did not reply to requests for comment. Belgium-based
SWIFT on Friday downplayed the risk of attacks employing the code
released by hackers and said it had no evidence that the main SWIFT
network had ever been accessed without authorization.
It was possible that the local messaging systems of some SWIFT client
banks had been breached, SWIFT said in a statement, which did not
specifically mention the NSA.
Because tracking sources of terrorist financing and money flows among
criminal groups is a high priority, SWIFT transfers would be a natural
espionage target for many national intelligence agencies.
BREACH OF FIREWALLS
A PowerPoint presentation that was part of the most recent Shadow
Brokers release indicates the NSA used a tool codenamed BARGLEE to
breach the SWIFT service providers' security firewalls.
The NSA's official seal appeared on one of the slides in the
presentation, although Reuters could not independently determine the
authenticity of the slides.
[to top of second column]
 |
The National Security Agency (NSA) data center is seen after
construction was completed in Bluffdale, Utah, U.S., March 24, 2017.
REUTERS/George Frey
The slide referred to ASA firewalls. Cisco is the only company that
makes ASA firewalls, according to a Cisco employee who spoke on
condition of anonymity. ASA stands for Adaptive Security Appliance and
is a combined firewall, antivirus, intrusion prevention and virtual
private network, or VPN.
Documents included in the Shadow Brokers release suggest that the NSA,
after penetrating the firewall of the SWIFT service providers, used
Microsoft exploits to target the computers interacting with the SWIFT
network, Comae Technologies' Suiche said.
The Al Quds Bank for Development and Investment, for example, was
running a Windows 2008 server that at the time was vulnerable to newly
disclosed Windows exploits, he said.
Microsoft late on Friday said it had determined that prior patches to
dozens of software versions had fixed the flaws that apparently were
exploited by nine of the NSA programs. Four of the vulnerabilities were
blocked by comprehensive updates on March 14. That left only older,
unsupported versions of Windows operating systems and Exchange email
servers at risk to three of the newly released exploits, the company
said.
Earlier Friday, Microsoft had said the company had not been warned by
the government or other outsiders about the stolen programs.
Microsoft declined to say how it learned of the exploits without outside
help. The company's security systems are capable of detecting attacks
against customers, and Microsoft in the past has monitored discussion
about exploits on the Internet and also hired former intelligence agency
veterans to help it devise programming to protect its software from
encroachment.
The NSA targeted nine computer servers at a SWIFT contractor,
Dubai-based service bureau EastNets, according to the documents. The
U.S. intelligence agency then used lines of code to query the SWIFT
servers and Oracle databases handling the SWIFT transactions, according
to the documents.
EastNets on Friday denied it had been hacked.
(Reporting by Clare Baldwin and Joseph Menn; Additional reporting by
Dustin Volz; Editing by David Greising and Cynthia Osterman)
[© 2017 Thomson Reuters. All rights
reserved.] Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
