Reports that the National Security Agency infiltrated bank servers through a Swift service bureau highlight a recurring concern for financial institutions about the unintended consequences of U.S. government snooping.
The leaks that came out late last week from a hacking collective called Shadow Brokers indicate that the NSA exploited vulnerabilities in Microsoft Windows systems to break into servers at EastNets, a Dubai company that provides outsourced Swift connectivity to 260 financial institutions and corporations.
From there, Shadow Brokers’ documents suggest, the NSA was able to access computers used by some Middle Eastern bank members of Swift, the Society for Worldwide Interbank Financial Telecommunication. The NSA’s goal, according to The New York Times, was to track money movements and thereby gain insight into “potential terrorist groups or government officials.”
The most immediate danger for U.S. banks (and any Windows user, for that matter) — that the weaknesses in Microsoft code still exist, rendering every internet-connected computer running Windows open to hacking — has passed. Microsoft said patches for all the vulnerabilities were issued more than a month ago, so any company that is up to date on Windows patching is safe from these.
But the U.S. government’s insistence on using so-called back doors to access financial and customer information remains a concern. The same tools the NSA uses to prop open doors to such information could be used by cybercriminals and nation-states with more sinister motives. And it also raises privacy issues for companies and consumers that don’t want the government watching their every move.
“Governments are constantly going after different networks for espionage and national security purposes,” said John Carlson, chief of staff at the Financial Services Information Sharing and Analysis Center, an industry trade group. “That’s a reality we recognize.”
The FS-ISAC, whose more than 7,000 financial services members share information with each other about cyberthreats, does not have an official position on whether the NSA should be using back doors for this type of monitoring, but Carlson noted the instabilities this kind of activity causes.
“We would want the government to disclose zero days” — a type of vulnerability in software — "so those can be fixed and mitigated,” he said. “There’s been dialogue in the past about governments buying up zero days so they can use them for espionage and national security purposes; that puts information at risk.”
Asked if the FS-ISAC was talking to the NSA about this, Carlson said: “We’re asking for clarification. We haven’t gotten answers.” (The spy agency did not respond to an email from American Banker requesting comment.)
Concerns about back doors came up last year when the FBI wanted Apple to give it a key to unlock all iPhones, ostensibly for the sole purpose of viewing the San Bernardino shooter’s calls. Apple refused, and the government found another way to unlock the phone.
It also arose in the financial industry two years ago when a startup software company called Symphony balked at providing regulators with a back door to the instant messages of its Wall Street clients. (They worked out an agreement through which a copy of all messages is kept by a third party.)
Traces of spyware
Shadow Brokers leaked a spreadsheet on Friday that indicates the NSA was able to access and infect with its spyware computers run by several bank clients of EastNets, including Qatar First Investment Bank, Tadhamon International Islamic Bank and Noor Islamic Bank.
Later the same day, EastNets issued a statement denying it had been hacked.
“Reports of an alleged hacker-compromised EastNets Service Bureau network are totally false and unfounded,” the company said in its press release. “The EastNets Network internal Security Unit has ran a complete check of its servers and found no hacker compromise or any vulnerabilities.”
The firm said its Swift service runs on a separate secure network that cannot be accessed over public networks.
“The photos shown on Twitter, claiming compromised information, are about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013,” EastNets stated. It said it can confirm that no customer data was compromised in any way.
“EastNets continues to guarantee the complete safety and security of its customers' data with the highest levels of protection from its SWIFT certified Service bureau," Hazem Mulhim, CEO and founder of EastNets, said in the statement.
The hacking tools that Shadow Brokers said the NSA used to monitor the Middle Eastern banks also appear to be outdated. The group pointed to seven vulnerabilities in Microsoft Windows software that were used to break into servers.
In a blog post early Saturday, Microsoft said those vulnerabilities had all been patched more than a month earlier. (Deviating from its normal practice, Microsoft did not disclose who found the vulnerabilities. This has led to speculation about possible collusion between the NSA and Microsoft.)
Microsoft declined to comment further. EastNets could not line up an executive by deadline.
In a statement provided midday eastern time Monday, Swift said it has "no evidence to suggest that there has ever been any unauthorised access to our network or messaging services.”
For now, the industry is watching this case closely.
“We’re still trying to understand the impact to the financial sector,” said Carlson at the FS-ISAC.
“We think the potential impact of the disclosures to this sector is relatively low but warrants attention," Carlson said. "We’ll be playing close attention to this.”
Bankers, he said, should keep their systems up to date in the meantime.
“It’s very important to make sure all their systems are patched and that third-party providers patch their systems as well,” Carlson said. “There may be patches individual firms have not executed.”
He also stressed the importance of having layered defense and redundant systems.
“The biggest buzzword would be persistent vigilance,” Carlson said. “You have to be constantly vigilant about these kinds of threats. Adversaries will be looking to exploit any vulnerability out there and it’s up to firms to be constantly on guard, educating users on best way to defend the organization. It’s part and parcel of our digital economy.”
Updated April 17, 2017 at 12:47PM: Updated to include a statement provided by Swift.