The U.S. National Security Agency has been exposed by hackers who have provided computer files and documents providing a blueprint for how the agency exploited vulnerabilities in commercially available software to gain access to the global system for transferring money between banks.
An intriguing release was unveiled by Shadow Brokers showing documents and files indicating NSA had accessed the SWIFT money-transfer system through service providers in the Middle East and Latin America.
The documents were the latest in a series of disclosures that the hacker group has released in recent months.
The founder of cybersecurity firm Comae Technologies, Matt Suiche, indicated in a blog post that screen shots indicated some SWIFT affiliates were using Windows servers that were vulnerable at the time back in 2013. Suiche concluded that the NSA took advantage of vulnerabilities.
Suiche went ahead to reveal that the NSA bypassed the firewalls after which they targeted the machines using Microsoft exploits. The exploits are simply programs that take advantage of security flaws in computer systems. Hackers rely on exploits to insert back doors for continued access, eavesdropping or to insert other tools.
Suiche pointed out that the Shadow brokers had unveiled the tools the NSA used to compromise SWIFT (via) Cisco firewalls, Windows. Microsoft acknowledged the vulnerabilities and said they had been patched. Cisco Systems Inc has previously acknowledged that its firewalls had been vulnerable.
SWIFT released a statement saying that there was a possibility that the local messaging systems of some SWIFT client banks had been breached.
It’s common for many national intelligence agencies to target SWIFT transfers, this is because tracking sources of terrorist financing and money flows among criminal groups is a high priority hence natural espionage is often conducted by agencies.
Shadow Brokers release also indicates that the NSA used a tool codenamed BARGLEE to breach the SWIFT service providers' security firewalls. The Shadow Brokers release had a PowerPoint presentation that showed the NSA's official seal in the presentation.
The slide pointed out to the ASA firewalls which are made by Cisco. ASA stands for Adaptive Security Appliance and is a combined firewall, antivirus, intrusion prevention and virtual private network, or VPN.
The Shadow Brokers documents indicated that the NSA used Microsoft exploits to target the computers interacting with the SWIFT network after penetrating the firewall of the SWIFT service providers.
Suiche from Comae Technologies indicated that the Al Quds Bank for Development and Investment, for example, was running a Windows 2008 server that at the time was vulnerable to newly disclosed Windows exploits.
In response, Microsoft said on Friday that it had determined that prior patches to dozens of software versions had fixed the flaws that apparently were exploited by nine of the NSA programs.
The company said that comprehensive updates on March 14 blocked four of the vulnerabilities, adding that only the older unsupported versions of Windows operating systems and Exchange email servers were at risk to three of the newly released exploits.
The Shadow Brokers documents indicated that the NSA targeted nine computer servers at a SWIFT contractor, Dubai-based service bureau EastNets, it then used lines of code to query the SWIFT servers and Oracle databases handling the SWIFT transactions.