Latest "Shadow Brokers" Leak Reveals NSA Hacked Most Windows Platforms; SWIFT Banks

Tyler Durden's picture

One week after the "Shadow Broker" hacker group re-emerged when in a Medium blog post it slammed Donald Trump's betrayal of his core "base" and the recent attack on Syria, urging Trump to revert to his original promises and not be swept away by globalist and MIC interests, it also released the password which grants access to what Edward Snowden dubbed the NSA's "Top Secret arsenal of digital weapons", it has made fresh headlines by releasing data which reportedly reveals that the NSA had hacked the SWIFT banking system of several banks around the globe including in the EU and middle east.

As a reminder, last year the Shadow Brokers claimed to have stolen files from the NSA's cyber-espionage group known as the Equation Group. After initially putting up the tools up for auction (ultimately nobody was interested in paying the price of 1 million Bitcoin, or around $570 million at the time), Last week, the Shadow Brokers dumped the password for the files they had put up for auction last summer. Missing from last week's dump were the Windows files they put up for individual auctions over the winter.

Fast forward one week, when on Good Friday the Shadow Brokers dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft's Windows OS and evidence the Equation Group had gained access to servers and targeted banks connected to the ubiquitous SWIFT banking system.

The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a new blog post. As Bleeping Computer's Catalin Cimpanu, who first noticed the release, points out, the blog post is called "Lost in Translation," and in addition to some premeditated ramblings in broken English...

KEK...last week theshadowbrokers be trying to help peoples. This week theshadowbrokers be thinking fuck peoples. Any other peoples be having same problem? So this week is being about money. TheShadowBrokers showing you cards theshadowbrokers wanting you to be seeing. Sometime peoples not being target audience. Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension.

... the post contained a link to a Yandex Disk file storage repo.

The password provided for these files is "Reeeeeeeeeeeeeee", and they've already been unzipped and hosted on GitHub by security researchers.  A list of all the files contained in the dump is available here, and it reveals the presence of 23 new hacking tools named such as ODDJOB, JEEPFLEA, EASYBEE, EDUCATEDSCHOLAR, ENGLISHMANSDENTIST, ESKIMOROLL, ECLIPSEDWING, EMPHASISMINE, EMERALDTHREAD, ETERNALROMANCE, ETERNALSYNERGY, ETERNALBLUE , EWOKFRENZY, EXPLODINGCAN, ERRATICGOPHER, ESTEEMAUDIT, DOUBLEPULSAR, MOFCONFIG, FUZZBUNCH, and others.

As Cimpanu notes, the dump contains three folders named Windows, Swift, and OddJob. The Windows folder contains several Windows hacking tools, although these don't look like the same tools that were put up for sale last December. The folder OddJob contains an eponymous implant that can be delivered to Windows operating systems. Details on this implant are scarce at the moment although according to some members of the hacking community, the ETERNALBLUE tool also allows access to Windows 10-based platforms, also known as "zero-day" (0-day) exploits, granting hackers adversely control over any hacked computer.

Commenting on today's release, Edward Snowden said in a tweet that "#NSA knew their hacking methods were stolen last year, but refused to tell software makers how to lock the thieves out. Are they liable?"

Just as interesting is that the folder claiming to hold SWIFT data contains SQL scripts that search for SWIFT-specific data inside databases, and text and Excel files hinting the Equation Group had hacked and gained access to several banks across the world, including not only Middle Eastern countries such as Palestine, UAE, Kuwait, Qatar, and Yemen, but also allegedly to European Union-based banks.

As Cimpanu adds, "this folder is by far the most interesting of the three, as it alludes the Equation Group (NSA) had been infiltrating banks, and secretly keeping an eye on SWIFT transactions. The files included in the dump indicate the Equation Group had targeted and successfully infiltrated the SWIFT Service Bureau of the Middle East (EastNets), one of the SWIFT departments managing and monitoring SWIFT transactions across Middle East banks."

In a statement posted on its website, EastNets denied it had been compromised, even if the Shadow Brokers dump included a file with all the Bureau's compromised administrator accounts, some of which correspond to real-world employees. Furthermore, op-sec commentator Joseph Cox noted on twitter that JEEPFLEA is the "alleged op targeting SWIFT. Here's the already public mention of JEEPFLEA from (I believe) a Snowden doc. TAO hacking op"

And while the NSA can perhaps claim that it was infiltrating Middle-eastern SWFT-member banks to search for terrorist, it will have a bigger headache on its hands if it emerges as some have alleged, that the NSA's "Equation Group" had managed to hack the internal Belgium HQ network at SWIFT itself:

Additionally, as some commentators have pointed out, notably @emptywheel, there was no effective need for the NSA to hack into SWIFT as the US government already had "front door" access into SWIFT - with supervision - for terrorist purposes as far back as 2013.

Also of note is that the SWIFT files date to at least a month after Globo and Spiegel exposed TAO's hacking of SWIFT in 2013.

As Wired confirms, "the new leak includes evidence that the NSA hacked into EastNets, a Dubai-based firm that oversees payments in the global SWIFT transaction system for dozens of client banks and other firms, particularly in the Middle East. The leak includes detailed lists of hacked or potentially targeted computers, including those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen, and the Palestinian territories. Also included in the data dump, as in previous Shadow Brokers releases, are a load of fresh hacking tools, this time targeting a slew of Windows versions."

As a reminder, the transaction protocol SWIFT has been repeatedly targeted by hackers seeking to redirect millions of dollars from banks around the world, with recent efforts in India, Ecuador, and Bangladesh. Over the past year, researchers have pointed to clues that a $81 million Bangladesh bank theft via SWIFT may have been the work of the North Korean government.   But the Shadow Brokers’ latest leak offers new evidence that the NSA has also compromised SWIFT, albeit most likely for silent espionage and supervision of global fund flows, rather than wholesale larceny.

Separately, The Intercept notes that according to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be overstated: “I don’t think I have ever seen so much exploits and 0day [exploits] released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.

“This is as big as it gets,” Hickey said. “Nation-state attack tools are now in the hands of anyone who cares to download them…it’s literally a cyberweapon for hacking into computers…people will be using these attacks for years to come.”

Hickey provided The Intercept with a video of FUZZBUNCH being used to compromise a virtual computer running Windows Server 2008–an industry survey from 2016 cited this operating system as the most widely used of its kind.


Finally, as an indication of the severity of today's Shadow Broker leak, none other than Facebook's Chief Security Officer, lashed out, saying that "Whatever you think of the [intel community] having 0-day, this situation pretty clearly demonstrates that the USG vulnerability equities process is broken."

Just to put it all into perspective, it was not the Russian government that allegedly had backdoor access to virtually every Windows-based platform and had infiltrated the information network that connects every bank in the world, but the NSA... and the US government.

And then there's the question why the NSA has kept silent throughout this entire process:

While many more questions will emerge following today's leak, one can't help but wonder if the entire "Russian hacking" scandal had been staged - either with the prior knowledge of the NSA or without - and just how much deeper this particular rabbit hole goes.

* * *

We conclude with the cryptic hint presented by the Shadow Brokers in their latest blog post:

Maybe if all suviving WWIII theshadowbrokers be seeing you next week. Who knows what we having next time?

Here's to surviving WWIII...

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
LawsofPhysics's picture

So that's why Belgium kept buying treasuries...

grunk's picture

They're cheaper than beer.

Chuck Walla's picture

So this is where I got 1000 shares of Valeant!

fauxhammer's picture

All your shit are belong to everybody

John Kerry-Heinz's picture

Windooze pc's since win 7 phone home to microsoft, relaying the user statistics including web browsing.  Apple uses a similar system.  Both of these coporate monsters are hidden in plainview data collection partners with the government surviellance.  You see, the gov KNOWS everything it needs to know about citizens, because it collects everything we do on these compromised OS's.  Just imagine the Blakmale information that is available to them on anyone.

Just in case you think this all BS, here are the addresses Windooze platforms use to phone home all of your stats:



These addresses are actually tunnels established by the Windooze install to Microsoft and how they can backdoor remote into you or your servers.

Disclosure: I DO NOT USE MACS or IDIOT phones, pads, etc....  All publically used platforms are comprimised.

Curiously_Crazy's picture

Anyone using win-doze has a screw loose.

You mention 'since win 7' but it's actually always been the case. Windows is massively flawed and has security holes in it that make swiss cheese look solid, 12 year old kids have been hacking it for decades so it's no wonder the real power brokers have no issues doing so. Anyway..

Additional privacy risks have been introduced with Windows 8. There's the smartscreen filter, which reports to Microsoft what software you are running on your computer. This feature includes a kill switch that can allow Microsoft (or any one with an exploit for this mechanism) to delete programs on your machine without your consent.

Windows 10 takes surveillance of users to a whole new level. It runs a telemetry spyware program out-of-the-box that snoops on the users' files, what programs you are running and for how long, text input including your unique typing pattern, voice input, location info, contacts, calendar records and web browsing history, as well as automatically connecting the machines to open hotspots and showing targeted ads. There is no way to remove telemetry.

Like you, I'll add the disclaimer that my boxes don't run the spyware infected mac's either.

BuddyEffed's picture

Are they sure the Windows was hacked, or could they have been invited it?

Zorba's idea's picture

Here a hack, there a hack, everywhere a hack hack!  Hack attacks R US 

mkkby's picture

Thanks ketchup boy.  I'll block those domains in my router right away.

Still using win 7 and XP.  When those computers die I am a linux user for life.

Ludwig Von's picture

We 're good at at least that... . :-)

HRClinton's picture

The BLICS countries hold over $1 Trillion of US debt, yet they have bugger all in terms of GDP, i.e. resources or industry.

Japan has more debt per capita than we do, yet they too have over $1 Trillion of our debt.

China, which until this week was a yuuuge Currency Manipulator, has over $1 Trillion of our debt.

Pretty soon any CB in the world will be able to issue Debt to the US, it seems.  If only Li'L Kim would behave, we'd let him issue $1 Trillion in Debt to us also.


meditate_vigorously's picture

This seems to have all the evidence needed to claim that the CIA/NSA stole that money from Bangledesh. The false flags and direct access.

Vageling's picture

When it comes to Belgium. Which part again? 

But I am laughing hard on the Spywindow folks. 

Le_Zabroso's picture

learn about grammar and spelling you freak.

meditate_vigorously's picture

How do you who the stupidest person in the room is? When you think you are the smartest, it is you.

fel.temp.reparatio's picture it the one that leaves out the word "know" in the posted question?

hustler etiquette's picture

Praise be to Kek. Kek's will, will be manifested. Seek the truth. Kek is One; Kek is One. Kek's world will be manifested. No offense to those who pray facing East.

pitz's picture

Who is actually stupid enough to expose a Windows computer directly to the Internet?

mtanimal's picture

Uhhh..... a goverment employee or a banker?

thisandthat's picture

My bank used OS/2 years ago; maybe they're laughing now

Vageling's picture

Same for IoS and Android. 

shallwe's picture

What does it mean directly?

Salsa Verde's picture

People who spend other people's money for a living.

Umh's picture

Most IT managers.

mtanimal's picture

I be having the same problems. Fuck peoples. But fuck banksters first.

dirty belly's picture

I Smell


10mm's picture

I detect ass fuck.No Lube.

JohninMK's picture

So, the US already has 'front door' access into SWIFT for terrorist related enquiries, little policed apparently, but for other reasons the US decided that it needed 'back door' access as well. This has now been publicly documented, no doubt to the huge anger of SWIFT who may well not known about it and their customers who definitely didn't.

This however presents a huge opportunity to the Russian, and Chinese, SWIFT analogue networks if they are able to take advantage of it. The strategic ramifications for the World's financial systems, the oversight of them and the US$'s place in them will be on a lot of peoples minds this Easter.

IndyPat's picture

Snowden says..."Microsoft needs to take real action."
Over 0day holes.

That's fucking funny. They'll get right on that.
That's the dirty lie Snowden never, ever fucking addresses. That Microsoft and IC are thick as thieves.

bofs's picture

Could some white hats perhaps use this info to break the global banking cartel/racket?

Drop out's picture

I'm safe, my computer has the latest version of Windows ME installed on it.

seek's picture

Microsoft BOB is also glaringly absent from most exploit reports.

Capn Mike's picture

Very good. Not crazy, completely, though. I did home-brew cryptography project last year in 8080 assembler. Good luck finding tools for that! Was that you at the Twit Olympics?

undertow1141's picture

I imagine many network managers just had their holiday weekend plans scrubbed.

mtanimal's picture

ESKIMOROLL? FUZZBUNCH? That should give you an idea of the mentality creating these.

BlindMonkey's picture

I'm waiting for the comment spammers to change their schtick from "I make $7k a week from home!" to something like "I just transfered $15 million into my offshore account.  Click on this link to find out how you can too!"


What a time to be alive.

LightTrumpsDark's picture

These NSA spies have been totally out of control for too many years with insufficient oversight quite obviously.  Morons running the world!  I posted a message yesterday to the Facebook page of Australias Foreign Minister Julie Bishop, commenting about the false flag Syrian chemical gas attack bringing her attention to the MIT Professor who called out the authenticity of the western media schill reports.  If Trump takes us to thermoneclear WW3 (or some high skilled hacker getting into the nuclear arsenal) we will have idiots like her to thank for not exposing the bastards and the criminals.  This has to stop, make some high level arrests now.  Clinton Foundation and the Bush family are good places to start.  Wake up world before it is too late.  Of Anglo American Empire you have totally totally failed us in so many many areas of the world. Dont get me wrong, it still remains an awesomely beautiful world when you have appreciation and sanctity for all life on the planet (guess that counts out the American MIC).  Global corporatism has to go and go now - No longer Too Big To Fail - new acromyn is Too Big To Keep Alive - TBTKA.  Put the big corrupt corporates to sleep by making them small again!!  Rant Over.

DelusionsCrowded's picture

I agree . They need to be properly overseen by people with political , sociological and ETHICAL credentials . Its just not good enough having mad scientists , sociopaths and aspergerers running these insttitutions and begin oversighted by Political Criminals that are themselves compromised by these institutions .

The US Gov is constantly going on about National Security but when they don't have an enemy , the MIC gets out there and creates them . It seem that the SG (shadow gov) is constantly looking for reasons to wage war on humanity . I see in todays paper Nato is ridiculously claiming an essential forward defense in Poland against Russian 'aggression'  . Yet  all the while telling us 'Were the goodguys' . I think not . Guantanemo Bay , Abu Grab and all the 100's shadow tourture sites they have over the world (human experimentation undoubtably) . Bradley Manning ??? Libya , Please explain . But instead of being contrite ,those who disagree  are added to the enemy list . A list that must now runs into  millions  .

These Mad Masonic Monks refuse to consider they have an ethical problem . They are creating  meyhem in the World that they claim to be saving 'us' from , And this justifies their existance for their continued war against humanity .

Publicus_Reanimated's picture

Hahaha "broken English."

Nope, this is fractured English written by a native English speaker to look foreign.  

hustler etiquette's picture

yeah mayne their broken english sounds like an attempt at Albanian ebonics, albonics?

Benito_Camela's picture

Or more likely a textual style obfuscation program. 

Brazen Heist's picture



Oh the names.

JohninMK's picture

ENGLISHMANSDENTIST - drills deeper and more painfully

That kinda sums up the whole episode,

Make a recovery disc today and regard anything from now on as suspect. Save all your data files offline.

At least you will have something to go back to offline.

bluskyes's picture

This will trigger a credit freeze , and bank holiday.

Counter parties beware!

hustler etiquette's picture

This is Bukaki Theatre. Bring your umbrellas, Wellies, and protective eye-wear. Everybody is getting sprayed. Blap blap blap