US government 'monitored bank transfers'

  • Published
NSA headquartersImage source, Getty Images
Image caption,
The NSA is facing criticism for not sharing details of the security flaws with Microsoft

A huge range of security weaknesses, said to be worth more than $2m (£1.6m) if sold on the black market, have been leaked online by a hacking group.

The tools are said to have been created by the US National Security Agency.

Accompanying documents appear to indicate it was able to monitor money flows among some Middle East and Latin American banks.

It apparently did this by gaining access to two service bureaus of the Swift global banking system.

Such a hack could have enabled the US to covertly monitor financial transactions, researchers said.

The files were released by Shadow Brokers, a hacking group that has previously leaked malware.

If genuine, it represents perhaps the most significant exposure of the US agency's files since the Edward Snowden leaks in 2013.

On Twitter, Mr Snowden described it as the "Mother Of All Exploits" - a reference to a bomb recently used by the US military in Afghanistan.

Multiple experts have said this latest "data dump" is credible - though the institutions implicated have dismissed the claims, or refused to comment.

Swift, which is headquartered in Belgium, said: "We have no evidence to suggest that there has ever been any unauthorised access to our network or messaging services."

The BBC is not able to verify the authenticity of the files - and the NSA has not commented on the leak.

Swift was successfully targeted by hackers last year when criminals stole $81m from the Bangladeshi central bank

Watching the Middle East

Swift is a network that allows global banks to move money around the world.

In the Swift network, smaller banks often make use of service bureaux to handle transactions on their behalf. Documents included in the leak suggest at least one major bureau, EastNets, may have been compromised.

"If you hack the service bureau, it means that you also have access to all of their clients, all of the banks," said Matt Suiche, founder of the United Arab Emirates-based cybersecurity firm Comae Technologies, speaking to Reuters.

Headquartered in Dubai, EastNets has clients in Kuwait, Dubai, Bahrain, Jordan, Yemen and Qatar. Spreadsheets published by Shadow Brokers appeared to list banks that had been breached with "implants" - secret data-gathering software.

Cris Thomas, a security researcher with Tenable, said analysis of the leaked files suggested the US government had the capability "to monitor, if not disrupt, financial transactions to terrorists groups".

In a statement on Friday, EastNets strongly denied the claims.

"The reports of an alleged hacker-compromised EastNets Service Bureau network is totally false and unfounded," a spokesperson said.

"The EastNets Network Internal Security Unit has run a complete check of its servers and found no hacker compromise or any vulnerabilities.

"The photos shown on Twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013."

Windows threat

The files contained several "zero day" exploits - vulnerabilities that were previously unknown to the companies that create the software, or the security community at large.

The zero-days targeted Windows machines, though researchers said none in the cache would be effective against the latest version, Windows 10.

That said, multiple experts said the sheer number of zero days released at the same time was unprecedented. One researcher, speaking to Vice, said the exploits would have been worth more than $2m if sold privately

In January, a Twitter account believed to be run by the group announced an auction of the exploits, but it appears the group did not find any buyers. The NSA is now facing criticism for not sharing details of the exploits with Microsoft once it became clear the tools were in the hands of a hacking group.

Microsoft said in a statement to the BBC that it was "reviewing the report and will take the necessary actions to protect our customers".


Follow Dave Lee on Twitter @DaveLeeBBC

You can reach Dave securely through encrypted messaging app Signal on: +1 (628) 400-7370