For eight months, the hacker group known as Shadow Brokers has trickled out an intermittent drip of highly classified NSA data. Now, just when it seemed like that trove of secrets might be exhausted, the group has spilled a new batch. The latest dump appears to show that the NSA has penetrated deep into the finance infrastructure of the Middle East—a revelation that could create new scandals for the world’s most well-resourced spy agency.

Friday morning, the Shadow Brokers published documents that—if legitimate—show just how thoroughly US intelligence has compromised elements of the global banking system. The new leak includes evidence that the NSA hacked into EastNets, a Dubai-based firm that oversees payments in the global SWIFT transaction system for dozens of client banks and other firms, particularly in the Middle East. The leak includes detailed lists of hacked or potentially targeted computers, including those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen, and the Palestinian territories. Also included in the data dump, as in previous Shadow Brokers releases, are a load of fresh hacking tools, this time targeting a slew of Windows versions.

"Oh you thought that was it?" the hacker group wrote in a typically grammar-challenged statement accompanying their leak. There was speculation prior to this morning's release that the group had finally published its full set of stolen documents, after a seemingly failed attempt to auction them for bitcoins. "Too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away."

SWIFT Action

The transaction protocol SWIFT has been increasingly targeted by hackers seeking to redirect millions of dollars from banks around the world, with recent efforts in India, Ecuador, and Bangladesh. Security researchers have even pointed to clues that a $81 million Bangladesh bank theft via SWIFT may have been the work of the North Korean government. But the Shadow Brokers' latest leak offers new evidence that the NSA has also compromised SWIFT, albeit most likely for silent espionage rather than wholesale larceny.

EastNets has denied that it was hacked, writing on its Twitter account that there's "no credibility to the online claim of a compromise of EastNets customer information on its SWIFT service bureau." But the Shadow Brokers' leak seems to suggest otherwise: One spreadsheet in the release, for instance, lists computers by IP address, along with corresponding firms in the finance industry and beyond, including the Qatar First Investment Bank, Arab Petroleum Investments Corporation Bahrain, Dubai Gold and Commodities Exchange, Tadhamon International Islamic Bank, Noor Islamic Bank, Kuwait Petroleum Company, Qatar Telecom and others. A "legend" at the top of the spreadsheet notes that the 16 highlighted IP addresses mean, "box has been implanted and we are collecting." That NSA jargon translates to a computer being successfully infected with its spyware.1

Those IP addresses don't actually correspond to the client's computers, says Dubai-based security researcher Matt Suiche, but rather to computers servicing those clients at EastNets, which is one of 120 "service bureaus" that form a portion of the SWIFT network and make transactions on behalf of customers. "This is the equivalent of hacking all the banks in the region without having to hack them individually," says Suiche, founder of UAE-based incident response and forensics startup Comae Technologies. "You have access to all their transactions."

Blowback

While the Shadow Brokers' releases have already included NSA exploits, today's leak is the first indication of targets of that sophisticated hacking in the global banking system. Unlike previous known hacks of the SWIFT financial network, nothing in the leaked documents suggests that the NSA used its access to EastNets' SWIFT systems to actual alter transactions or steal funds. Instead, stealthily tracking the transactions within that network may have given the agency visibility into money flows in the region—including to potential terrorist, extremist, or insurgent groups.

If that sort of finance-focused espionage was in fact the NSA's goal, it would hardly deviate from the agency's core mission. But Suiche points out that confirmation of the operation would nonetheless lead to blowback for the NSA and the US government—particularly given that many of the listed targets are in US-friendly countries like Dubai and Qatar. "A big shitstorm is to come," says Suiche. "You can expect the leadership of key organizations like banks and governments are going to be quite irritated, and they’re going to react."

Beyond EastNets alone, Suiche points to references in the files to targeting the Panama-based firm Business Computer Group or BCG, although it's not clear if the firm was actually compromised. Beyond its Twitter statement, EastNets didn't respond to WIRED's request for comment. WIRED also reached out to BCG and the NSA, but didn't get a response.

Windows to the World

SWIFT aside, the leak also contains a cornucopia of NSA hacking tools or "exploits," including what appear to be previously secret techniques for hacking PCs and servers running Windows. Matthew Hickey, the founder of the security firm Hacker House, analyzed the collection and believes there are more than 20 distinct exploits in the leak, about 15 of which are included in an automated hacking "framework" tool called FuzzBunch.

This is as big as it gets. Matthew Hickey, Hacker House

The attacks seem to target every recent version of Windows other than Windows 10, and several allow a remote hacker to gain the full ability to run their own code on a target machine. "There are exploits here that are quite likely zero days that will let you hack into any number of servers on the internet," says Hickey. "This is as big as it gets. It’s internet God mode."

In a statement to WIRED, however, a Microsoft spokesperson wrote that the company had previously patched all the vulnerabilities in Windows that the hacking tools exploited. "We've investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products," the statement reads. In a blog post, the company clarified that several of the exploits do still work, but only on versions of Windows prior to Windows 7.2

But the Shadow Brokers hinted in their release that they're not done creating trouble for the NSA yet. "Maybe if all suviving [sic] WWIII theshadowbrokers be seeing you next week," the group's message concludes. "Who knows what we having next time?"

1Updated 4/14/2017 12:15 EST to include comments from EastNets.

2Updated 4/15/2017 3:50 EST to include a response from Microsoft.