Hackers Say NSA Snooped Into Banks in Palestinian Authority and Wider Middle East

The group known as Shadow Brokers says releases programs used by the U.S. security agency, including some used to hack into the Swift system for money transfers

The NSA headquarters in Fort Meade, Maryland.
AP / Patrick Semansky

The U.S. National Security Agency spied on money transfers through the Swift interbank network, according to a hacker group that says its data dump is meant to protest U.S. President Donald Trump’s missile attack on Syria this month.

The group, known as Shadow Brokers, also says the NSA has developed tools to hack computers using Microsoft’s Windows operating system, though the company says most significant vulnerabilities have already been patched.

Swift is used by around 11,000 banks and other financial institutions to transfer money. The NSA surveillance reportedly included Palestinian banks and banks elsewhere in the Middle East and Latin America. Experts say Shadow Brokers’ data leak last week was its biggest and most significant yet.

The leak began with the release of programs to hack into Unix operating systems, and peaked Friday with the exposure of Windows-targeting programs using so-called zero-day vulnerabilities previously unknown flaws that leave the software producer with zero days to fix the problem.

As with previous exposures of NSA malware, the leaked programs bore strange names like fuzzbunch, jeepflea_market, oddjob and jeepflea_powder.

The data dump included tools for breaking into Windows on servers and private computers. Some of the Windows versions like Windows XP are obsolete they are no longer updated by the company. Other versions, including Windows 8, still receive security updates. The leak did not include tools to attack Windows 10.

The most remarkable Windows-cracking tool is fuzzbunch, which like programs such as Metasploit in the civilian world bundles a number of assault tools into one easy-to-use package.

“I don’t think I have ever seen so much exploits and 0day [exploits] released at one time in my entire life,” researcher Matthew Hickey, co-founder of Hacker House, told The Intercept via Twitter Direct Messages.

Previous leaks by Shadow Brokers consisted only of code samples. This time the leaks also included presentations and documents exposing information about targets – which turned out to have included Swift.

“Oh you thought that was it?” Shadow Brokers wrote in a statement accompanying the Friday leak, delivered in its signature style – bravado marked by grammar or punctuation issues.

According to the hacker group, the institutions the NSA followed included Ramallah-based Al Quds Bank.

Tal Be’eri, a security investigator and expert on Swift, told Haaretz that the consortium that manages the Swift standard tells organizations joining it which servers and software to use. Monitoring Swift would make sense for the NSA as it tracks funding sources for things like terrorism and the black market in nuclear weapons, Be’eri adds.

Following 9/11, Washington created software to legally draw information out of Swift to aid terror-related probes. Swift is headquartered in Belgium, so if the NSA used malicious software on Swift, it was effectively spying on EU territory.

Be’eri, however, says the NSA’s main target was actually a Dubai-based company called EastNets, which provides service to Swift and is directly connected with its computer system. EastNets has branches in Belgium, the United Arab Emirates and Egypt, and serves numerous clients in the Middle East.

According to the presentations and excel spreadsheets leaked by Shadow Brokers, the NSA continued to spy on financial institutions via its break-in at EastNets at least until 2013, the year Edward Snowden revealed information about U.S. government hacking, including on the Swift system.

EastNets categorically denies being hacked, according to Wired. EastNets said its internal security unit found no penetration by hackers.

Shadow Brokers made headlines last year when it vowed to reveal to the highest bidder NSA computer programs for espionage. Shadow Brokers released examples that experts deemed to include authentic, if somewhat obsolete, software written by the NSA’s Tailored Access Operations unit.

Some observers suspect that Shadow Brokers is actually part of a Russian effort to undermine the United States and its intelligence operations. The group said it was making the NSA’s 2013 hacking tools available to everyone in protest against the U.S. attack on a Syrian air force base on April 7.

For its part, Microsoft said that some of the vulnerabilities in Windows had already been patched and that it was hurrying to fix the rest. If the software is an obsolete version that Windows no longer supports, the company won’t be fixing its vulnerabilities.

“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products,” the company said, adding: “Customers still running prior versions of these products are encouraged to upgrade to a supported offering.”