Hack­ers use stolen NSA tool to wreak havoc in US cities

The News Tribune - - Front Page - BY NI­COLE PERLROTH AND SCOTT SHANE New York Times

For nearly three weeks, Bal­ti­more has strug­gled with a cy­ber­at­tack by dig­i­tal ex­tor­tion­ists that has frozen thou­sands of com­put­ers, shut down email and dis­rupted real es­tate sales, wa­ter bills, health alerts and many other ser­vices.

But here is what frus­trated city em­ploy­ees and res­i­dents do not know: A key com­po­nent of the mal­ware that cy­ber­crim­i­nals used in the at­tack was de­vel­oped at tax­payer ex­pense a short drive down the Bal­ti­more-Wash­ing­ton Park­way at the Na­tional Se­cu­rity Agency, ac­cord­ing to se­cu­rity ex­perts briefed on the case.

Since 2017, when the NSA lost con­trol of the tool, Eter­nalBlue,


Vikram Thakur, Sy­man­tec’s direc­tor of se­cu­rity re­sponse

it has been picked up by state hack­ers in North Korea, Rus­sia and, more re­cently, China, to cut a path of de­struc­tion around the world, leav­ing bil­lions of dol­lars in dam­age. But over the past year, the cy­ber­weapon has boomerange­d back and is now show­ing up in the NSA’s own back­yard.

It is not just in Bal­ti­more. Se­cu­rity ex­perts say Eter­nalBlue at­tacks have reached a high, and cy­ber­crim­i­nals are zero­ing in on vul­ner­a­ble American towns and cities, from Penn­syl­va­nia to Texas, par­a­lyz­ing lo­cal gov­ern­ments and driv­ing up costs.

The NSA con­nec­tion to the at­tacks on U.S. cities has not been pre­vi­ously re­ported, in part be­cause the agency has re­fused to dis­cuss or even ac­knowl­edge the loss of its cy­ber­weapon, dumped on­line in April 2017 by a still-uniden­ti­fied group call­ing it­self the Shadow Bro­kers. Years later, the agency and the FBI still do not know whether the Shadow Bro­kers are for­eign spies or dis­grun­tled in­sid­ers.

Thomas Rid, a cy­ber­se­cu­rity

ex­pert at Johns Hop­kins Univer­sity, called the Shadow Bro­kers episode “the most de­struc­tive and costly NSA breach in his­tory,” more dam­ag­ing than the bet­ter-known leak in 2013 from Ed­ward Snow­den, the for­mer NSA con­trac­tor.

“The govern­ment has re­fused to take re­spon­si­bil­ity, or even to an­swer the most ba­sic ques­tions,” Rid said. “Con­gres­sional over­sight ap­pears to be fail­ing. The American peo­ple de­serve an an­swer.”

The NSA and FBI de­clined to com­ment.

Since that leak, for­eign in­tel­li­gence agen­cies and rogue ac­tors have used Eter­nalBlue to spread mal­ware that has par­a­lyzed hos­pi­tals, air­ports, rail and ship­ping op­er­a­tors, ATMs and fac­to­ries that pro­duce crit­i­cal vac­cines. Now the tool is hit­ting the United States where it is most vul­ner­a­ble, in lo­cal gov­ern­ments with aging dig­i­tal in­fra­struc­ture and fewer re­sources to de­fend them­selves.

Be­fore it leaked, Eter­nalBlue was one of the most use­ful ex­ploits in the NSA’s cy­ber­arse­nal. Ac­cord­ing to three for­mer NSA op­er­a­tors who spoke on the con­di­tion of anonymity, an­a­lysts spent al­most a year find­ing a flaw in Mi­crosoft’s soft­ware and writ­ing the code to tar­get it. Ini­tially, they re­ferred to it as Eter­nal-Blue­screen be­cause it of­ten crashed com­put­ers – a risk that could tip off their tar­gets. But it went on to be­come a re­li­able tool used in count­less in­tel­li­gence­gath­er­ing and coun­tert­er­ror­ism mis­sions.

Eter­nalBlue was so valu­able, for­mer NSA em­ploy­ees said, that the agency never se­ri­ously con­sid­ered alert­ing Mi­crosoft about the vul­ner­a­bil­i­ties, and held on to it for more than five years be­fore the breach forced its hand.

North Korea was the first na­tion to co-opt the tool, for an at­tack in 2017 – called Wan­naCry – that par­a­lyzed the Bri­tish health care sys­tem, Ger­man rail­roads and some 200,000 or­ga­ni­za­tions around the world. Next was Rus­sia, which used the weapon in an at­tack – called NotPetya – that was aimed at Ukraine but spread across ma­jor com­pa­nies do­ing busi­ness in the coun­try. The as­sault cost FedEx more than $400 mil­lion and Merck, the phar­ma­ceu­ti­cal gi­ant, $670 mil­lion.

The dam­age didn’t stop there. In the past year, the same Rus­sian hack­ers who tar­geted the 2016 U.S. pres­i­den­tial elec­tion used Eter­nalBlue to com­pro­mise ho­tel Wi-Fi net­works. Ira­nian hack­ers have used it to spread ran­somware and hack air­lines in the Mid­dle East, ac­cord­ing to re­searchers at the se­cu­rity firms Sy­man­tec and FireEye.

“It’s in­cred­i­ble that a tool which was used by in­tel­li­gence ser­vices is now pub­licly avail­able and so widely used,” said Vikram Thakur, Sy­man­tec’s direc­tor of se­cu­rity re­sponse.

One month be­fore the Shadow Bro­kers be­gan dump­ing the agency’s tools on­line in 2017, the NSA – aware of the breach – reached out to Mi­crosoft and other tech com­pa­nies to in­form them of their soft­ware flaws. Mi­crosoft re­leased a patch, but hun­dreds of thou­sands of com­put­ers world­wide re­main un­pro­tected.

Hack­ers seem to have found a sweet spot in Bal­ti­more, Al­len­town, Penn­syl­va­nia, San Antonio and other lo­cal U.S. gov­ern­ments, where pub­lic em­ploy­ees over­see tan­gled net­works that of­ten use out-of-date soft­ware. In July, the Depart­ment of Home­land Se­cu­rity is­sued a dire warn­ing that state and lo­cal gov­ern­ments were get­ting hit by par­tic­u­larly de­struc­tive mal­ware that now, se­cu­rity re­searchers say, has started re­ly­ing on Eter­nalBlue to spread.

The costs can be hard for lo­cal gov­ern­ments to bear. The Al­len­town at­tack, in Fe­bru­ary 2018, dis­rupted city ser­vices for weeks and cost about $1 mil­lion to rem­edy – plus another $420,000 a year for new de­fenses, said Matthew Leib­ert, the city’s chief in­for­ma­tion of­fi­cer.

He de­scribed the pack­age of dan­ger­ous com­puter code that hit Al­len­town as “com­mod­ity mal­ware,” sold on the dark web and used by crim­i­nals who don’t have spe­cific tar­gets in mind. “There are ware­houses of kids over­seas fir­ing off phish­ing emails,” Leib­ert said, like thugs shoot­ing mil­i­tary-grade weapons at ran­dom tar­gets.

This past week, re­searchers at the se­cu­rity firm Palo Alto Net­works dis­cov­ered that a Chi­nese state group, Emis­sary Panda, had hacked into Mid­dle Eastern gov­ern­ments us­ing Eter­nalBlue.

“You can’t hope that once the ini­tial wave of at­tacks is over, it will go away,” said Jen MillerOs­born, deputy direc­tor of threat in­tel­li­gence at Palo Alto Net­works. “We ex­pect Eter­nalBlue will be used al­most for­ever, be­cause if at­tack­ers find a sys­tem that isn’t patched, it is so use­ful.”


Mi­crosoft em­ploy­ees re­view mal­ware data at the com­pany’s of­fices in Red­mond, Wash., in Novem­ber. Eter­nalBlue, the mal­ware cy­ber­crim­i­nals have used in ran­som at­tacks, was de­vel­oped at tax­payer ex­pense at the Na­tional Se­cu­rity Agency, ac­cord­ing to se­cu­rity ex­perts briefed on the case.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.