One week after the "Shadow Broker" hacker group re-emerged when in a Medium blog post it slammed Donald Trump's betrayal of his core "base" and the recent attack on Syria, urging Trump to revert to his original promises and not be swept away by globalist and MIC interests, it also released the password which grants access to what Edward Snowden dubbed the NSA's "Top Secret arsenal of digital weapons", it has made fresh headlines by releasing data which reportedly reveals that the NSA had hacked the SWIFT banking system of several banks around the globe including in the EU and middle east.
As a reminder, last year the Shadow Brokers claimed to have stolen files from the NSA's cyber-espionage group known as the Equation Group. After initially putting up the tools up for auction (ultimately nobody was interested in paying the price of 1 million Bitcoin, or around $570 million at the time), Last week, the Shadow Brokers dumped the password for the files they had put up for auction last summer. Missing from last week's dump were the Windows files they put up for individual auctions over the winter.
Fast forward one week, when on Good Friday the Shadow Brokers dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft's Windows OS and evidence the Equation Group had gained access to servers and targeted banks connected to the ubiquitous SWIFT banking system.
The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a new blog post. As Bleeping Computer's Catalin Cimpanu, who first noticed the release, points out, the blog post is called "Lost in Translation," and in addition to some premeditated ramblings in broken English...
KEK...last week theshadowbrokers be trying to help peoples. This week theshadowbrokers be thinking fuck peoples. Any other peoples be having same problem? So this week is being about money. TheShadowBrokers showing you cards theshadowbrokers wanting you to be seeing. Sometime peoples not being target audience. Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension.
... the post contained a link to a Yandex Disk file storage repo.
The password provided for these files is "Reeeeeeeeeeeeeee", and they've already been unzipped and hosted on GitHub by security researchers. A list of all the files contained in the dump is available here, and it reveals the presence of 23 new hacking tools named such as ODDJOB, JEEPFLEA, EASYBEE, EDUCATEDSCHOLAR, ENGLISHMANSDENTIST, ESKIMOROLL, ECLIPSEDWING, EMPHASISMINE, EMERALDTHREAD, ETERNALROMANCE, ETERNALSYNERGY, ETERNALBLUE , EWOKFRENZY, EXPLODINGCAN, ERRATICGOPHER, ESTEEMAUDIT, DOUBLEPULSAR, MOFCONFIG, FUZZBUNCH, and others.
As Cimpanu notes, the dump contains three folders named Windows, Swift, and OddJob. The Windows folder contains several Windows hacking tools, although these don't look like the same tools that were put up for sale last December. The folder OddJob contains an eponymous implant that can be delivered to Windows operating systems. Details on this implant are scarce at the moment although according to some members of the hacking community, the ETERNALBLUE tool also allows access to Windows 10-based platforms, also known as "zero-day" (0-day) exploits, granting hackers adversely control over any hacked computer.
OUCH, is that Windows 10 also impacted by ETERNALBLUE? That is INSANE. https://t.co/gKKO9EuFc7— Hacker Fantastic (@hackerfantastic) April 14, 2017
Commenting on today's release, Edward Snowden said in a tweet that "#NSA knew their hacking methods were stolen last year, but refused to tell software makers how to lock the thieves out. Are they liable?"
Just as interesting is that the folder claiming to hold SWIFT data contains SQL scripts that search for SWIFT-specific data inside databases, and text and Excel files hinting the Equation Group had hacked and gained access to several banks across the world, including not only Middle Eastern countries such as Palestine, UAE, Kuwait, Qatar, and Yemen, but also allegedly to European Union-based banks.
As Cimpanu adds, "this folder is by far the most interesting of the three, as it alludes the Equation Group (NSA) had been infiltrating banks, and secretly keeping an eye on SWIFT transactions. The files included in the dump indicate the Equation Group had targeted and successfully infiltrated the SWIFT Service Bureau of the Middle East (EastNets), one of the SWIFT departments managing and monitoring SWIFT transactions across Middle East banks."
In a statement posted on its website, EastNets denied it had been compromised, even if the Shadow Brokers dump included a file with all the Bureau's compromised administrator accounts, some of which correspond to real-world employees. Furthermore, op-sec commentator Joseph Cox noted on twitter that JEEPFLEA is the "alleged op targeting SWIFT. Here's the already public mention of JEEPFLEA from (I believe) a Snowden doc. TAO hacking op"
JEEPFLEA is alleged op targeting SWIFT. Here's the already public mention of JEEPFLEA from (I believe) a Snowden doc. TAO hacking op pic.twitter.com/toOmO1FQMz— Joseph Cox (@josephfcox) April 14, 2017
And while the NSA can perhaps claim that it was infiltrating Middle-eastern SWFT-member banks to search for terrorist, it will have a bigger headache on its hands if it emerges as some have alleged, that the NSA's "Equation Group" had managed to hack the internal Belgium HQ network at SWIFT itself:
Additionally, as some commentators have pointed out, notably @emptywheel, there was no effective need for the NSA to hack into SWIFT as the US government already had "front door" access into SWIFT - with supervision - for terrorist purposes as far back as 2013.
Going to keep repeating this all day.— emptywheel (@emptywheel) April 14, 2017
USG has front door access into SWIFT for broadly defined (& inadequately overseen) terrorist purposes
Remember: US negotiated front door access to SWIFT for terrorism purposes. No reason to hack (at least not for terrorism) it in 2013. https://t.co/HXMaW5pc2y— emptywheel (@emptywheel) April 14, 2017
Also of note is that the SWIFT files date to at least a month after Globo and Spiegel exposed TAO's hacking of SWIFT in 2013.
Other interesting thing is these SWIFT files date to at least a month AFTER Globo and Spiegel exposed TAO's hacking of SWIFT in 2013.— emptywheel (@emptywheel) April 14, 2017
As Wired confirms, "the new leak includes evidence that the NSA hacked into EastNets, a Dubai-based firm that oversees payments in the global SWIFT transaction system for dozens of client banks and other firms, particularly in the Middle East. The leak includes detailed lists of hacked or potentially targeted computers, including those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen, and the Palestinian territories. Also included in the data dump, as in previous Shadow Brokers releases, are a load of fresh hacking tools, this time targeting a slew of Windows versions."
As a reminder, the transaction protocol SWIFT has been repeatedly targeted by hackers seeking to redirect millions of dollars from banks around the world, with recent efforts in India, Ecuador, and Bangladesh. Over the past year, researchers have pointed to clues that a $81 million Bangladesh bank theft via SWIFT may have been the work of the North Korean government. But the Shadow Brokers’ latest leak offers new evidence that the NSA has also compromised SWIFT, albeit most likely for silent espionage and supervision of global fund flows, rather than wholesale larceny.
Separately, The Intercept notes that according to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be overstated: “I don’t think I have ever seen so much exploits and 0day [exploits] released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.
“This is as big as it gets,” Hickey said. “Nation-state attack tools are now in the hands of anyone who cares to download them…it’s literally a cyberweapon for hacking into computers…people will be using these attacks for years to come.”
Hickey provided The Intercept with a video of FUZZBUNCH being used to compromise a virtual computer running Windows Server 2008–an industry survey from 2016 cited this operating system as the most widely used of its kind.
Finally, as an indication of the severity of today's Shadow Broker leak, none other than Facebook's Chief Security Officer, lashed out, saying that "Whatever you think of the [intel community] having 0-day, this situation pretty clearly demonstrates that the USG vulnerability equities process is broken."
Whatever you think of the IC having 0-day, this situation pretty clearly demonstrates that the USG vulnerability equities process is broken. https://t.co/lkaeO175zt— Alex Stamos (@alexstamos) April 14, 2017
The fact that this is the 3rd time this year (it's April!) is a scandal. We need to rethink who in the USG is responsible for defense. (3/3)— Alex Stamos (@alexstamos) April 14, 2017
Just to put it all into perspective, it was not the Russian government that allegedly had backdoor access to virtually every Windows-based platform and had infiltrated the information network that connects every bank in the world, but the NSA... and the US government.
And then there's the question why the NSA has kept silent throughout this entire process:
Smoking-gun evidence that NSA could have prevented today's Windows security disaster, but chose not to. Microsoft needs to take real action. https://t.co/zjQNOQcFSc— Edward Snowden (@Snowden) April 14, 2017
While many more questions will emerge following today's leak, one can't help but wonder if the entire "Russian hacking" scandal had been staged - either with the prior knowledge of the NSA or without - and just how much deeper this particular rabbit hole goes.
* * *
We conclude with the cryptic hint presented by the Shadow Brokers in their latest blog post:
Maybe if all suviving WWIII theshadowbrokers be seeing you next week. Who knows what we having next time?
Here's to surviving WWIII...