Last week, the mysterious hacking group The Shadow Brokers dumped a large cache of files allegedly stolen from the NSA. Among the data there were exploits for Windows, as well as alleged documents that showed the NSA had hacked into the networks of a large Dubai-based banking system called EastNets.
In a leaked text file inside a folder related to the apparent NSA hack of the SWIFT service, there's a URL and a string that says "QUANTUM against EASTNETS employee network in Duabi [sic]." The file is titled FATags.txt, with FA likely standing for FoxAcid, an NSA tool. This was presumably an instruction for the operator to know when and how to use QUANTUM.
Given what we know about QUANTUM, an NSA system to attack computers and servers on the internet with various hacking tools, it's possible that the NSA used a QUANTUMINSERT to inject malicious code into that domain—that doesn't exist anymore—to hack whoever visited it. QUANTIMINSERT works by intercepting an internet connection to deliver malware, before the victim visits the legitimate website, according to leaked documents from the Edward Snowden cache.
"Judging by the secrecy of the domain, it's likely that it resolved to an exploit server," a former member of the intelligence community who is familiar with cyber operations, told Motherboard. "QUANTUM was likely used to redirect users from that IP to that specific server to be exploited."
That means the NSA got some EastNets employee to visit that URL and hacked him through it.
The leaked code also includes a URL with a tag, a string of seemingly random characters. That was likely used to deliver the exploit, based on previously leaked NSA documents. As Bruce Schneier explained in a blog post, that's how QUANTUM and FoxAcid, a system to match victims with attacks tools, work.
"FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious," Schneier wrote.
EastNets did not respond to a request for comment.
It's possible that the NSA used another technique to break into EastNet's network. But given what we know about QUANTUM, it seems like this is the technique it used, presumably to monitor the payments to terrorist networks.