
ShadowBrokers: The NSA Compromised the SWIFT Network - raesene9
https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
======
raesene9
It's worth following @hackerfantastic
([https://twitter.com/hackerfantastic](https://twitter.com/hackerfantastic))
on twitter at the moment as he's looking through some of the exploits that
were dropped along with this documents.

Highlights so far are a 0-day in windows from NT-->2012 which reliably
exploits over the SMBv2 port and a bunch of other stuff.
([https://twitter.com/hackerfantastic/status/85291588665052774...](https://twitter.com/hackerfantastic/status/852915886650527744))

~~~
fpp
sounds familiar - we found that one 1996 when doing system programming on NT
(NuMega SoftIce was your best friend together with material published by Mark
Russinovich prior of him working with MS - remember when you were doing e.g. a
file system driver at that time there was close to zero documentation by MS
and half of what they provided was wrong). Demonstrated then how to use it to
log onto remote Windows systems over the I-Net and gain Admin rights. I
thought this one with all what was published about it long ago would be well
known since.

Astounded that it took so long to fix and that it passed on through
generations of Windows version.

Almost certain similar can be said of other low level "bugs".

~~~
hexadecimated
How do you know it's the same bug?

~~~
fpp
same result - only one issue like that known to me So of course I could be
wrong and this issue is not the only one in that protocol implementation / sys
component(s)

------
dmix
> This release includes logs, excel files, and even for the first time
> PowerPoint of TOP SECRET documents. This is a first from Shadow Brokers,
> this would mean ShadowBrokers has definitely more than only tools.

I'm curious what the implication is here. Why would a TOP SECRET power point
slide be packaged together with malware on an attack server? It's either
really sloppy OPSEC by NSA TAO (or random hired contractor) or may just be a
collection of files put together by an intel agency/'criminal' hacker group
from various sources to embarrass NSA.

~~~
posixplz
The implication is that they're working directly with leakers. It's pretty
hard to imagine that a PPT would be left on operational assets where tools are
traditionally found.

~~~
mike_hearn
Aren't we overlooking a rather more likely possibility here - that the NSA has
itself been hacked? You're right, I see no reason why slideware would be
sitting outside the NSA corporate networks and I'm sure they have various
procedures to try and prevent exactly that. The two remaining possibilities
are:

1\. Another leaker who isn't Snowden

2\. A third party who has gained access to the insides of the NSA

I don't see why we're apparently ignoring 2 in this thread. The Snowden leaks
made it very, very clear that essentially nothing is unhackable. And it's not
like the USA has a monopoly on hacking skill. What else do we know about the
NSA? That they perform the largest WireSharking in history, they literally
parse most of the internet with a giant collection of programs which I will
assume are written in C or C++ for the sake of performance (though a lot of
Perl seems to crop up for analysis purposes too).

What are the chances that the NSA have managed to build a huge network with
hugely complex interfacing to the entire internet, and huge amounts of
software, without opening themselves up to attack by equally sophisticated
attackers? I'd say close to zero.

~~~
Bartweiss
An interesting note on 1: back during the Snowden and Manning leaks, Bruce
Schneier strongly believed that there was a still-unknown leaker because some
of the data shouldn't have been available to the other leakers.

Not sure if these are related, but the latest round makes pretty clear that
there's been either a new leaker or a serious attack.

~~~
e12e
You're not thinking of Brandon Bryant who leaked details of Rammstein air base
and that the illegal drone killing program is/was run from Europe?

~~~
Bartweiss
I don't think I am? A quick look says he was identified in 2012, and Snowden
started publishing in 2013. I'll have to track down the Schneier post to be
sure of my dates, though.

------
ryanmarsh
Is anyone else as horrified by this as I am?

Bitcoin being a sewer rat, and the banking system being a bubble boy, I knew a
day would come when the bubble boy would be exposed to something bitcoin had
grown immune to, get sick, and possibly die. I didn't know his protective
bubble was already gone. I thought these banks all communicated on leased
lines and weren't exposed to the public internet.

Is there any indication that a criminal hacker gang couldn't have compromised
this or other SWIFT service bureau's or banks in a similar manner?

Which fiat bank will be the first Mt Gox?

~~~
foepys
> exposed to something bitcoin had grown immune to

I don't know where this myth is coming from that Bitcoin is immune to state-
level actors. If a relatively large government really wanted to manipulate the
Bitcoin network, they could either just buy some thousand Bitcoin and spam the
network with transactions or buy enough hardware to get over 50% hashing
power. Especially China only needs to take down the 2 or 3 top miners and can
cut the mining power in half within a day.

Bitcoin is simply not interesting enough at the moment to get manipulated by
state-level actors. But that doesn't mean that it's impossible, regardless
what Bitcoin advocates want you to believe.

~~~
JoshTriplett
Definitely not _impossible_ , but a quick check at the moment suggests that
with the best available ASICs, it'd cost about $376M retail (or perhaps less
wholesale) to buy hashing power equivalent to the current network. (And that
assumes sufficient supply to do so, though it might be possible to scale that
better.) So, definitely in the range for states to accomplish, but not
trivial; it'd have to be extremely critical to do so. (And an attempt to do so
would likely get noticed, and there are ways to work around it.)

~~~
maxander
The U.S. threw ~$80M worth of missiles into Syria several days ago, just to
damage an airfield. No one would blink at half a billion to take out bitcoin,
and that's assuming that the NSA/CIA don't already have billions' worth of
codebreaking hardware that could be applied to that purpose (they _almost
certainly_ do.) Taking control of bitcoin is probably "fun weekend project"
level work for them.

~~~
clubm8
>Taking control of bitcoin is probably "fun weekend project" level work for
them.

What if they _created_ Bitcoin?

We've all read about the CIA running drugs to raise cash for black ops... why
not take it a step further and create your own currency?

My personal theory is it was an intel agency, or a criminal group.

Keep in mind Truecrypt was also written by criminals:
[https://magazine.atavist.com/he-always-had-a-dark-
side](https://magazine.atavist.com/he-always-had-a-dark-side)

~~~
jacobush
Damn that's a chilling thought

------
starefossen
And here is the EastNets' blog post denying the compromise ever happened
[http://www.eastnets.com/News_Details/17-04-14/No_credibility...](http://www.eastnets.com/News_Details/17-04-14/No_credibility_to_the_online_claim_of_a_compromise_of_EastNets_customer_information_on_its_SWIFT_service_bureau.aspx)

~~~
UnoriginalGuy
I love them outright denying it, then slowly admitting that the slides
reference real elements of their infrastructure that they have since retired.

This dump is a few years old. Seems very believable that the NSA compromised
their network before 2013 in the way the slides suggest. Plus if their
"internal Security Unit" was worth a damn they would have known about this
already, rather than finding out about it from this dump.

Overall that press release is a little embarrassing, and screams to the tech
illiteracy of their senior management. Nobody would publish a press release
like this so quickly if they understood the problem scopes in play here (e.g.
their Cisco firewalls themselves could have implants!).

------
peterwwillis
We've known the NSA compromised SWIFT since 2013, that the US has control over
SWIFT transactions since 2012, and that the US had been failing to guarantee
the privacy of EU citizens' transactions on the network since 2011.

We've also known since last year that at least three separate hacks by three
separate thieves stole millions of dollars from multiple banks after
compromising the SWIFT network.

All 11,000 financial institutions connected to the network should just switch
to sending their 15 million messages per day using iPhones. Problem solved.

~~~
nickpsecurity
"All 11,000 financial institutions connected to the network should just switch
to sending their 15 million messages per day using iPhones. Problem solved."

iPhones are in U.S. jurisdiction. That's a bad idea. Instead, they should send
P2P or through SWIFT-like intermediary with signed messages GPG-style over
TLS-style links via dedicated lines or Internet lines with high-speed port
knocking. It all can be done with highly-secure tech. The tech for bottom of
stack from secure CPU's to secure kernels even exists already. SWIFT or some
other setup just has to buy it with that pile of money they have.

------
walterbell
_> Windows XP/2003 has been unsupported for more than 3 years. This means that
security vulnerabilities found on those systems will never be corrected. _

Windows Embedded 2009 (based on XP) is receiving security updates until 2019.

------
nickpsecurity
Alright, maybe SWIFT will be interested in high-assurance systems now. Any day
now they'll start applying the best of real INFOSEC to a world-wide,
financial-transfer network. Any day now... Probably not lol...

~~~
walterbell
Are any of these meaningful?

[https://www.swift.com/myswift/customer-security-programme-
cs...](https://www.swift.com/myswift/customer-security-programme-
csp_/security-announcements)

~~~
nickpsecurity
I can't glean useful information out of it except to note Fox-IT has some
experts on hand that can help. They were mentioned. The hacks usually come
from malicious insiders, social engineering of benign insiders, bad
configurations, bad protocols, and especially 0-days in software. The interim
solution should then be hardened OS with strong TCB, use of proven protocols,
secure-by-default configuration, auditing/monitoring by third-parties for
malicious insiders, and controls for both malicious and benign insiders.
SWIFT's headlines indicate a lot of software implementing controls, analysis,
and so on. I didn't see anything at a glance about making the _implementation_
of those software, their protocols, or their OS's bulletproof.

So, I still don't trust them. This looks like the same shit management in
banking and "security" industries come up with all the time. You know, the
stuff used in dozens of companies that got bypassed by so-called "APT's" that
sent emails with infected PDF's and Excel documents. Really "advanced" attacks
it takes. Haha. Trick is, you need both the security features and _assurance_
they're secure. Most of industry focuses on former where my type focuses on
latter as much as possible. ;)

~~~
walterbell
Have you seen Skyport's hardened server? Excluding the "cloud management"
portion, it looks promising on paper, [https://www.skyportsystems.net/wp-
content/uploads/2017/02/Da...](https://www.skyportsystems.net/wp-
content/uploads/2017/02/Datasheet-SkySecure-Server-On-Premises-Hyper-Secured-
Infrastructure.pdf)

Microsoft's PAW definition covers related topics,
[https://technet.microsoft.com/en-us/windows-server-
docs/secu...](https://technet.microsoft.com/en-us/windows-server-
docs/security/securing-privileged-access/privileged-access-workstations)

~~~
nickpsecurity
That's a nice design. They're trying really hard while staying within COTS
components. So, I wanted to know what the TCB was running. Paydirt:

" The I/O Controller runs an isolated instance of Security Enhanced Linux and
has a separate TPM for measurements and identity anchoring."

Yeah, that's not trustworthy. It might get attacked less than competing
systems but SELinux isn't a good TCB. The NSA themselves rate it like most of
the rest at EAL4+: resistant to "inadvertant" or "casual" attempts to breach
security. You want that trusted component to be running something stronger,
preferably with low odds of 0-days. A minimal version of OpenBSD is a cheap
start as their networking and Ethernet stacks probably had most review. Next
best is a separation kernel enforcing policy with small TCB & user-mode
stacks. There's commercial ones they can buy or FOSS ones to build on. Memory-
safe language like Ada/SPARK or Rust for their trusted code. Paid or FOSS
options for that, too.

The point being the hackers are going to look for ways to send in malicious
data or cause unusual executions to get code into memory. Whatever they're
using should stop that or isolate the damage with high confidence. Most don't,
though. Even well-thought ones like this product.

EDIT: Thanks for the tip-off, though, as I occasionally send recommendations
to security vendors. Might email them or use them as an example for high-
security people of what kind of thing to build or market.

------
jpalomaki
The title does not seem to be accurate. I don't see evidence that whole SWIFT
network was compromised. Instead it looks like they compromised one company
which connects to the SWIFT network.

~~~
nickpsecurity
That's what it looks like. They were monitoring or getting data from SWIFT
before, though. Just can't remember the details. I'd assume they can hack
SWIFT, though, given SWIFT probably relies on tech they have 0-days in like
most places. Just more monitoring that might catch them. Hopefully...

~~~
jpalomaki
Yes, that was happening in cooperation with SWIFT in the aftermath of 9/11:
[https://en.m.wikipedia.org/wiki/Terrorist_Finance_Tracking_P...](https://en.m.wikipedia.org/wiki/Terrorist_Finance_Tracking_Program)

Back then SWIFT had two processing centers, one in EU and one in US. Traffic
was replicated to both for resiliency. Later they opened up a new center in
Switzerland to be able to keep European data in Europe.

------
SamLevin88
Perhaps this is one of the reasons Americans don't want to be surveilled
unconstitutionally by our own government!

------
pera
I wonder why the TFTP[1] is not enough for the US IC, is there any official
explanation?

[https://en.wikipedia.org/wiki/Terrorist_Finance_Tracking_Pro...](https://en.wikipedia.org/wiki/Terrorist_Finance_Tracking_Program)

~~~
UnoriginalGuy
None of the countries targeted in the NSA slides are part of that program.

------
Nas808
Every time something like this breaks I have to take it with a grain of salt.
I've been fooled by HN before about "major" security breaches that end up not
having much of an impact at all.

Cloudflare leak in Feb... sounded like the world was ending here.

~~~
i336_
You may have noticed that the biggest freakout was from Google.

The freakout wasn't due to the incident itself (although obviously everyone
was unimpressed the leak happened), it was the fallout: the leaked data was
archived in various caches. Google's indexes of the web are the biggest.

------
Globz
is there a particular reason why ALL of them are using the same subnet
192.168.200.*?

~~~
ganoushoreilly
Because they likely have an operational network for each work group that's
mirrored, using standard configurations to maintain continuity across tools,
techniques, and procedures.

------
Sephr
How is NSA TAO not being held criminally irresponsible by our administration
for not patching the still-unreleased exploits that are currently in
possession of third parties?

~~~
Chaebixi
> How is NSA TAO not being held criminally irresponsible by our administration

Hate to break the news to you about the new administration...

~~~
akvadrako
or the previous administration ...

------
swalsh
Correct me if i'm wrong, but i'm pretty sure that OddJob hack has a GUI
interface built with Visual basic ;)

------
lallysingh
I'm not surprised that an agency tasked with counter terrorism is
intercepting/manipulating wire transfers.

~~~
jcriddle4
The US government already has legal and very broad access to SWIFT for
anything even slightly terror related.

~~~
gruturo
> The US government already has legal and very broad access to SWIFT for
> anything even slightly terror related.

Not really. SWIFT maintains multiple datacenters outside the US so that
transactions between 2 non-US actors don't touch US-based computers and are
therefore not (easily, officially) accessible by the US government.

------
Kinnard
I find it interesting that he did not mention Bitcoin or other blockchain
based solutions as an alternative to SWIFT. I doubt that that's because the
author is unaware of these technologies.

~~~
1ba9115454
Blockchains are public databases. So wouldn't really be a solution for privacy
in this case.

