Hackers Use NSA Code to Grind Baltimore to a Halt, Pass Code on to Russia, China
The United States is no longer supplying its enemies only with conventional weapons – that list now also includes cyberweapons. While Baltimore has been struggling with an aggressive cyber-attack over the last three weeks, previously profiled here , it has now been revealed that a key component of the malware used by cyber-criminals was actually developed just a short drive from Baltimore – at the NSA, according to the New York Times.
The tool used – called EternalBlue – has been used by hackers in North Korea, Russia and China to “cut a path of destruction around the world”, and resulted in billions of dollars in damages.
Now, it has come full circle and is back in the US, wreaking havoc just miles from Washington. In fact, security experts say that attacks using EternalBlue have soared and cyber-criminals are honing in on vulnerable towns and cities, using it to paralyze governments. The NSA’s connection to the attacks had previously not been reported and the NSA hasn’t commented about it since an unidentified group leaked the weapon online in April 2017.
The NSA and the FBI still don’t know whether or not it was leaked by foreign spies or US insiders.
The leak has been referred to as “the most destructive and costly N.S.A. breach in history,” by Thomas Rid, a cybersecurity expert at Johns Hopkins University. He continued: “The government has refused to take responsibility, or even to answer the most basic questions. Congressional oversight appears to be failing. The American people deserve an answer.”
An answer that we’re sure they won’t get.
Commenting on the leak in April 2017, Edward Snowden said that the “NSA just lost control of its Top Secret arsenal of digital weapons; hackers leaked it.”
— Edward Snowden (@Snowden) April 8, 2017
Since the April 2017 leak, foreign intelligence agencies and hackers have used the software to paralyze places like hospitals, airports, rail and shipping operators, ATMs and factories. In the United States, hackers are using the software to hit local governments with outdated infrastructure and few resources to defend themselves.
The software used to be one of the most useful exploits in the NSA’s arsenal. Former NSA analysts spent almost a year finding a flaw in Microsoft’s software and writing the code to target it. The tool was initially called “EternalBlueScreen” because it had a penchant for crashing computers. In fact, it was so valuable that the agency never even alerted Microsoft to the security flaw and instead, held onto the tool for five years before the breach in 2017 forced them to talk about it.
The May 7 Baltimore attack saw city workers’ screens suddenly lock up and a message in broken English demanding $100,000 in Bitcoin ransom. And, as Baltimore has not yet paid the ransom, the city’s computers remain handicapped. Without the former NSA tool, the damage wouldn’t of been as bad.
North Korea was the first to allegedly use the tool in 2017 when they attacked the British healthcare system, German railroads and 200,000 additional organizations around the world. Then, Russia reportedly used the tool on Ukraine and companies that did business in the country. The assault cost FedEx more than $400 million and Merck $670 million. Over the past year, Russian hackers have also used it to compromise hotel Wi-Fi networks, while Iranian hackers have used it to hack airlines in the Middle East. Of course, there is no evidence that any of these actors were behind the reported hacks.
Vikram Thakur, Symantec’s director of security response said: “It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used.”
When the tool was leaked in 2017, the NSA finally reached out to Microsoft, who developed a patch – but by then, it was too late and many systems still remained unprotected.
Meanwhile, hackers continue to target areas like Baltimore, San Antonio and Allentown, Pennsylvania – governments that use out of date software. This prompted the Department of Homeland Security last July to issue a warning about the software, urging municipalities to update their infrastructure.
The Allentown attack cost about $1 million to fix, in addition to $420,000 per year in new spending. Matthew Leibert, the city’s chief information officer called the attack “commodity malware” and said: “There are warehouses of kids overseas firing off phishing emails, like thugs shooting military-grade weapons at random targets.”
San Antonio was also hit with an attack last September when a computer inside the sheriff’s office tried to spread EternalBlue across the government’s network. And now, researchers at Palo Alto Networks discovered just last week that a Chinese state group had hacked into Middle Eastern governments using the tool.
Jen Miller-Osborn, a deputy director of threat intelligence at Palo Alto Networks said: “You can’t hope that once the initial wave of attacks is over, it will go away. We expect EternalBlue will be used almost forever, because if attackers find a system that isn’t patched, it is so useful.”
Until about a decade ago, these tools belonged to the NSA only. In fact, they had coined the term “NOBUS”, which stood for “nobody but us” – meaning the NSAthought the vulnerabilities were theirs alone to exploit. But that advantage wore off due to the leaks and because of the fact that anyone can grab the code to a cyber-weapon once it’s posted online.
FBI and Homeland security officials told the New York Times that more accountability at the NSA was needed. A former FBI official said that the leak was akin to the government failing to lock it up “a warehouse of automatic weapons”.
Unfortunately, there doesn’t seem to be accountability at the NSA. Adm. Michael S. Rogers, who was director of the N.S.A. during the leak said: “If Toyota makes pickup trucks and someone takes a pickup truck, welds an explosive device onto the front, crashes it through a perimeter and into a crowd of people, is that Toyota’s responsibility? The N.S.A. wrote an exploit that was never designed to do what was done.”
Microsoft views the situation very differently. Tom Burt, the corporate vice president of consumer trust said: “I disagree completely. These exploits are developed and kept secret by governments for the express purpose of using them as weapons or espionage tools. They’re inherently dangerous. When someone takes that, they’re not strapping a bomb to it. It’s already a bomb.”