America’s National Security Agency (NSA) used flaws in Windows software and in Cisco’s network security to gain access to SWIFT, the global system for transferring money between banks, according to documents and computer files released by the hacking group Shadow Brokers. The NSA used the exploits to trace sources of terrorist financing and to track money flows among criminal groups.
The documents and files indicate that the NSA accessed the SWIFT money-transfer system through service providers in the Middle East and Latin America. Cybersecurity analyst Matt Suiche, founder of Comae Technologies, said that the screen shots released indicated some SWIFT affiliates were using Windows servers that were vulnerable at the time, in 2013, to the exploits published by the Shadow Brokers.
“As soon as they bypass the firewalls, they target the machines using Microsoft exploits,” Suiche told Reuters. Microsoft acknowledged the vulnerabilities had existed and said they had been patched. Cisco has previously acknowledged that its firewalls had been vulnerable. Belgium-based SWIFT said it had no evidence that its main network had been compromised; it was possible that the local messaging systems of some SWIFT client banks had been breached, it said in a statement.
A PowerPoint presentation that was part of the Shadow Brokers release indicates that NSA used a tool codenamed BARGLEE to breach the SWIFT service providers’ security firewalls. The NSA’s official seal appeared on one of the slides in the presentation, although Reuters could not independently determine the authenticity of the slides. The slide referred to ASA firewalls. Cisco is the only company that makes ASA firewalls, according to a Cisco employee who spoke on condition of anonymity. ASA stands for Adaptive Security Appliance and is a combined firewall, antivirus, intrusion prevention and virtual private network, or VPN.
Documents included in the Shadow Brokers release suggest that the NSA, after penetrating the firewall of the SWIFT service providers, used Microsoft exploits to target the computers interacting with the SWIFT network. The NSA targeted nine computer servers at a SWIFT contractor, a Dubai-based service bureau called EastNets, according to the documents. The intelligence agency then used lines of code to query the SWIFT servers and Oracle databases handling the SWIFT transactions, according to the documents.