US-developed rogue cyber weapon returns to haunt Americans

NSA-made tool used to target US cities, paralysing local govts

A notice on Baltimore city workers' computers in the ransomware attack, which has disrupted real estate sales, health alerts and other services.
A notice on Baltimore city workers' computers in the ransomware attack, which has disrupted real estate sales, health alerts and other services.PHOTO: NYTIMES

NEW YORK • For nearly three weeks, Baltimore has struggled with a cyber attack by digital extortionists that has frozen thousands of computers, shut down e-mail and disrupted real estate sales, water bills, health alerts and many other services.

But here is what frustrated city employees and residents do not know: A key component of the malware used in the attack was developed, at taxpayers' expense, a short drive down the Baltimore-Washington Parkway at the National Security Agency (NSA), according to security experts briefed on the case.

Since 2017, when the NSA lost control of the tool, called EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving in its wake billions of dollars in damage.

But over the past year, the cyber weapon has boomeranged back and is now showing up in the NSA's own backyard.

Security experts say EternalBlue attacks have reached a high and cyber criminals are zeroing in on vulnerable American towns and cities from Pennsylvania to Texas, paralysing local governments and driving up costs.

The NSA connection to the attacks on cities in the United States has not been previously reported. This is in part because the agency has refused to discuss or even acknowledge the loss of its cyber weapon, dumped online in April 2017 by a still-unidentified group calling itself the Shadow Brokers. The NSA and the Federal Bureau of Investigation (FBI) still do not know whether the Shadow Brokers are foreign spies or disgruntled insiders.

Mr Thomas Rid, a cyber-security expert at Johns Hopkins University, called the Shadow Brokers episode "the most destructive and costly NSA breach in history", more damaging than the better-known leak in 2013 by former NSA contractor Edward Snowden.

"The government has refused to take responsibility, or even to answer the most basic questions," Mr Rid said. "Congressional oversight appears to be failing. The American people deserve an answer."


We expect EternalBlue will be used almost forever, because if attackers find a system that isn't patched, it is so useful.

MS JEN MILLER-OSBORN, deputy director of threat intelligence at Palo Alto Networks.

The NSA and FBI declined to comment.

Since the leak, foreign intelligence agencies and rogue actors have used EternalBlue to spread malware that has paralysed hospitals, airports, rail and shipping operators, ATMs and factories that produce critical vaccines.

Now, the tool is hitting the US where it is most vulnerable, in local governments with ageing digital infrastructure and few resources to defend themselves.

Before it leaked, EternalBlue was one of the most useful exploits in the NSA's cyber arsenal. According to three former NSA operators who spoke on condition of anonymity, analysts spent almost a year finding a flaw in Microsoft's software and writing the code to target it.

EternalBlue was so valuable, former NSA employees said, that the agency never seriously considered alerting Microsoft about the vulnerabilities. It held on to the information for more than five years before the breach forced its hand.

Microsoft has since released a patch, but hundreds of thousands of computers worldwide remain unprotected.

The Baltimore attack on May 7 was a classic ransomware assault. City workers' computer screens suddenly locked, and a message in flawed English demanded about US$100,000 (S$137,600) in bitcoin to free their files.

"We've watching you for days," said the message, obtained by The Baltimore Sun. "We won't talk more, all we know is MONEY! Hurry up!"

Baltimore remains handicapped as city officials refuse to pay, though workarounds have restored some services.

North Korea was the first nation to co-opt the tool for an attack in 2017 - called WannaCry - that paralysed the British healthcare system, German railroads and some 200,000 organisations around the world.

Next was Russia, which used the weapon in an attack - called NotPetya - that was aimed at Ukraine but spread across major companies doing business in the country. The assault cost FedEx more than US$400 million and pharmaceutical giant Merck US$670 million.

Said Mr Vikram Thakur, Symantec's director of security response: "It's incredible that a tool which was used by intelligence services is now publicly available and so widely used."

In the past week, researchers at security firm Palo Alto Networks discovered that a Chinese state group, Emissary Panda, had hacked into Middle Eastern governments using EternalBlue.

Ms Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks, said: "You can't hope that once the initial wave of attacks is over, it will go away.

"We expect EternalBlue will be used almost forever, because if attackers find a system that isn't patched, it is so useful."


A version of this article appeared in the print edition of The Straits Times on May 27, 2019, with the headline 'US-developed rogue cyber weapon returns to haunt Americans'. Print Edition | Subscribe