Hackers use stolen NSA tool to wreak havoc in US cities
For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services.
But here is what frustrated city employees and residents do not know: A key component of the malware that cybercriminals used in the attack was developed at taxpayer expense a short drive down the Baltimore-Washington Parkway at the National Security Agency, according to security experts briefed on the case.
Since 2017, when the NSA lost control of the tool, EternalBlue,
IT’S INCREDIBLE THAT A TOOL WHICH WAS USED BY INTELLIGENCE SERVICES IS NOW PUBLICLY AVAILABLE AND SO WIDELY USED.
Vikram Thakur, Symantec’s director of security response
it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving billions of dollars in damage. But over the past year, the cyberweapon has boomeranged back and is now showing up in the NSA’s own backyard.
It is not just in Baltimore. Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs.
The NSA connection to the attacks on U.S. cities has not been previously reported, in part because the agency has refused to discuss or even acknowledge the loss of its cyberweapon, dumped online in April 2017 by a still-unidentified group calling itself the Shadow Brokers. Years later, the agency and the FBI still do not know whether the Shadow Brokers are foreign spies or disgruntled insiders.
Thomas Rid, a cybersecurity
expert at Johns Hopkins University, called the Shadow Brokers episode “the most destructive and costly NSA breach in history,” more damaging than the better-known leak in 2013 from Edward Snowden, the former NSA contractor.
“The government has refused to take responsibility, or even to answer the most basic questions,” Rid said. “Congressional oversight appears to be failing. The American people deserve an answer.”
The NSA and FBI declined to comment.
Since that leak, foreign intelligence agencies and rogue actors have used EternalBlue to spread malware that has paralyzed hospitals, airports, rail and shipping operators, ATMs and factories that produce critical vaccines. Now the tool is hitting the United States where it is most vulnerable, in local governments with aging digital infrastructure and fewer resources to defend themselves.
Before it leaked, EternalBlue was one of the most useful exploits in the NSA’s cyberarsenal. According to three former NSA operators who spoke on the condition of anonymity, analysts spent almost a year finding a flaw in Microsoft’s software and writing the code to target it. Initially, they referred to it as Eternal-Bluescreen because it often crashed computers – a risk that could tip off their targets. But it went on to become a reliable tool used in countless intelligencegathering and counterterrorism missions.
EternalBlue was so valuable, former NSA employees said, that the agency never seriously considered alerting Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand.
North Korea was the first nation to co-opt the tool, for an attack in 2017 – called WannaCry – that paralyzed the British health care system, German railroads and some 200,000 organizations around the world. Next was Russia, which used the weapon in an attack – called NotPetya – that was aimed at Ukraine but spread across major companies doing business in the country. The assault cost FedEx more than $400 million and Merck, the pharmaceutical giant, $670 million.
The damage didn’t stop there. In the past year, the same Russian hackers who targeted the 2016 U.S. presidential election used EternalBlue to compromise hotel Wi-Fi networks. Iranian hackers have used it to spread ransomware and hack airlines in the Middle East, according to researchers at the security firms Symantec and FireEye.
“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used,” said Vikram Thakur, Symantec’s director of security response.
One month before the Shadow Brokers began dumping the agency’s tools online in 2017, the NSA – aware of the breach – reached out to Microsoft and other tech companies to inform them of their software flaws. Microsoft released a patch, but hundreds of thousands of computers worldwide remain unprotected.
Hackers seem to have found a sweet spot in Baltimore, Allentown, Pennsylvania, San Antonio and other local U.S. governments, where public employees oversee tangled networks that often use out-of-date software. In July, the Department of Homeland Security issued a dire warning that state and local governments were getting hit by particularly destructive malware that now, security researchers say, has started relying on EternalBlue to spread.
The costs can be hard for local governments to bear. The Allentown attack, in February 2018, disrupted city services for weeks and cost about $1 million to remedy – plus another $420,000 a year for new defenses, said Matthew Leibert, the city’s chief information officer.
He described the package of dangerous computer code that hit Allentown as “commodity malware,” sold on the dark web and used by criminals who don’t have specific targets in mind. “There are warehouses of kids overseas firing off phishing emails,” Leibert said, like thugs shooting military-grade weapons at random targets.
This past week, researchers at the security firm Palo Alto Networks discovered that a Chinese state group, Emissary Panda, had hacked into Middle Eastern governments using EternalBlue.
“You can’t hope that once the initial wave of attacks is over, it will go away,” said Jen MillerOsborn, deputy director of threat intelligence at Palo Alto Networks. “We expect EternalBlue will be used almost forever, because if attackers find a system that isn’t patched, it is so useful.”
Microsoft employees review malware data at the company’s offices in Redmond, Wash., in November. EternalBlue, the malware cybercriminals have used in ransom attacks, was developed at taxpayer expense at the National Security Agency, according to security experts briefed on the case.