NSA and SWIFT Network Article | Cyber Security Talks
Please enable Javascript in your browser.

NSA was Targeting SWIFT Bank Network

By on April 14, 2017

NSA Tools

The Shadow Brokers – a hackers group that claimed to have stolen a bunch of hacking tools from the NSA – released today more alleged hacking tools and exploits that target earlier versions of Windows operating system, along with evidence that the Intelligence agency also targeted the SWIFT banking system of several banks around the world.

Last week, the hacking group released the password for an encrypted cache of Unix exploits, including a remote root zero-day exploit for Solaris OS, and the TOAST framework the group put on auction last summer.

Someone has already uploaded the unlocked archive on GitHub and listed all the files contained in the dump released by the Shadow Brokers, which includes 23 new hacking tools.

These hacking tools have been named as OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar, and others.

Security researchers have started delving into the dump to determine the capabilities of the alleged exploits, implants and payloads that are claimed to work against Windows platforms.

MiddleEast SWIFT Networks

In an enterprise setting, however, disabling the Windows Firewall and allowing remote desktop connections is quite common. That's where these exploits were designed to work, and the Shadow Brokers data appears to reveal that the NSA used these tools against at least one eyebrow-raising target: a SWIFT bureau in the Middle East.


Following The Money


As part of the Bush administration's War on Terrorism the Terrorist Finance Tracking program was set up. Under TFTP, the U.S. gained the ability to monitor transactions carried out via SWIFT. Why target SWIFT specifically? There are upwards of 11,000 banks in 200 countries that use it, and they exchange around 15 million messages a day. If you need to keep an eye on large amounts of money moving internationally, SWIFT is the key.

In the wake of Edward Snowden's revelations in 2013, however, questions were raised about NSA data collection. In October of that year, the EU Parliament voted to suspend the TFTP. It's right around that time that many of the exploits discovered by Shadow Brokers seems to have been put to use.

A leaked PowerPoint slide appears to confirm that the NSA had successfully set up backdoor monitoring on 9 banks running SWIFT Alliance Access (SAA) servers. At least three others at another SWIFT Bureau were targeted, but they had not been compromised at the time of creation of the PowerPoint presentation in 2013.

SWIFT Servers Architecture

What is the SWIFT Network ?


The SWIFT organisation hardhearted in Belgium which provides a network that allows financial institutions in 200+ countries to send and receive information about financial transactions to each other. Most of SWIFT members are banks, and trading institutions.

The SWIFT network does not actually transfer funds, but instead it sends payment orders between institutions’ accounts, using SWIFT codes. SWIFT Code also known as Bank Identifier Code (BIC), are used by the SWIFT Network for those transaction.


What is a SWIFT Service Bureau ?


Accredited SWIFT service bu­reau offers a cost-effective solution for access to the complete range of SWIFT services by eliminating the need for in-house SWIFT expertise and operational support. Think of them of the equivalent of the Cloud providers for Banks. There are 74 certified bureau in the World.


Alternative to SWIFTs?


China and Russia focused on SWIFT alternatives over the past few years such as China International Payments System (CIPS) ready since 2015 and last month Russia announced to have its alternative system for transfer of financial messages (SPFS) ready.

Although since as we just saw the exploitation of the SWIFT Service Bureau required Firewall and Windows remote exploits, having a SWIFT alternative would not be enough to stop attackers.

Unfortunately, as long as companies would not really understand the technical origins of cyber security issues — or worse deny them — those issues will still exist and potentially put critical nation infrastructure at risks.


EastNets Denies SWIFT Hacking Claims


IPs & Banks list

In an official statement published today, EastNets denies . that its SWIFT bureau was compromised, and says the reports of hack are "totally false and unfounded."

"The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded. The EastNets Network internal Security Unit has run a complete check of its servers and found no hacker compromise or any vulnerabilities."

The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013."



Elmalla A. (@elmalla) is Chief Sales Officer at i-AWCS, which focuses on web application security solutions.