This Is How the NSA Infiltrated a Huge Banking Network in the Middle East

The NSA hacking tools dumped by The Shadow Brokers show how the spy agency broke into the major Dubai-based EastNets system.

|
Apr 19 2017, 12:00pm

Image: White Lace Photo/Shutterstock

Last week, the mysterious hacking group The Shadow Brokers dumped a large cache of files allegedly stolen from the NSA. Among the data there were exploits for Windows, as well as alleged documents that showed the NSA had hacked into the networks of a large Dubai-based banking system called EastNets.

The firm vehemently denied any breach, despite the fact that the documents appeared undeniable. Now, researchers have found a hint in the leaked code that appears to show just how the NSA broke in.

Read more: A Brief Interview with The Shadow Brokers, The Hackers Selling NSA Exploits

In a leaked text file inside a folder related to the apparent NSA hack of the SWIFT service, there's a URL and a string that says "QUANTUM against EASTNETS employee network in Duabi [sic]." The file is titled FATags.txt, with FA likely standing for FoxAcid, an NSA tool. This was presumably an instruction for the operator to know when and how to use QUANTUM.

Given what we know about QUANTUM, an NSA system to attack computers and servers on the internet with various hacking tools, it's possible that the NSA used a QUANTUMINSERT to inject malicious code into that domain—that doesn't exist anymore—to hack whoever visited it. QUANTIMINSERT works by intercepting an internet connection to deliver malware, before the victim visits the legitimate website, according to leaked documents from the Edward Snowden cache.

"Judging by the secrecy of the domain, it's likely that it resolved to an exploit server," a former member of the intelligence community who is familiar with cyber operations, told Motherboard. "QUANTUM was likely used to redirect users from that IP to that specific server to be exploited."

That means the NSA got some EastNets employee to visit that URL and hacked him through it.

The leaked code also includes a URL with a tag, a string of seemingly random characters. That was likely used to deliver the exploit, based on previously leaked NSA documents. As Bruce Schneier explained in a blog post, that's how QUANTUM and FoxAcid, a system to match victims with attacks tools, work.

"FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious," Schneier wrote.

EastNets did not respond to a request for comment.

It's possible that the NSA used another technique to break into EastNet's network. But given what we know about QUANTUM, it seems like this is the technique it used, presumably to monitor the payments to terrorist networks.

Motherboard is nominated for three Webby awards, Best Science YouTube Channel, Best Drama, Best Tech/Science Podcast. Please vote for us!