NSA 'EternalBlue' tool facilitates cyberattacks worldwide including U.S.

Many of the targets in the US have been local governments, such as Baltimore and San Antonio, where public employees often oversee networks using outdated software.

MAY 26, 2019 10:08

National Security Agency (NSA) headquarters building in Fort Meade, Maryland (photo credit: NSA/HANDOUT VIA REUTERS) — National Security Agency (NSA) headquarters building in Fort Meade, Maryland

(photo credit: NSA/HANDOUT VIA REUTERS)

A series of cyberattacks throughout the world, including attacks targeting US municipalities, have been facilitated by a hacking tool known as “EternalBlue” which was formerly used by the National Security Agency (NSA), according to The New York Times.

EternalBlue was, at one time, one of the NSA’s most valuable and useful tools. Former NSA operators told The New York Times that analysts spent almost a year developing the tool to target a flaw in Microsoft’s software. The tool was used in countless intelligence-gathering and counter-terrorism missions.

Due to the usefulness of EternalBlue, the NSA didn’t seriously consider alerting Microsoft about the vulnerability until a breach gave them no choice.

EternalBlue was stolen by a group called the “Shadow Brokers” in 2016 and then released online in April 2017, according to welivesecurity. The Shadow Brokers have released many of the NSA’s most valuable and top secret tools to hackers worldwide.

To this day, it is still unknown who is behind the Shadow Brokers. It’s not even known if they hacked the NSA, if it was insider’s leak or both.

The arsenal of hacking tools that the Shadow Brokers acquired included tools to steal documents, subtly change data or become the launching pad for an attack, such as an infamous attack against Iran which caused centrifuges enriching uranium at the Natanz nuclear plant to self-destruct.

The Shadow Brokers incident is “the most destructive and costly NSA breach in history,” Thomas Rid, a cybersecurity expert at John Hopkins University told The New York Times.

The tools stolen by Shadow Brokers have already been used to attack millions of computers with ransomware demanding payments in digital currency in order to have access restored. The attacks have targeted FedEx, Mondelez International, and hospitals in Pennsylvania, Britain and Indonesia, among other thousands of other targets, according to the New York Times.

The tool was used by North Korea for the widespread WannaCry attack in 2017, which targeted the British health care system, German railroads and about 200,000 organizations worldwide. It was also used by Russia in the NotPetya attack, which targeted Ukraine but spread to major companies doing business in the country as well.

.@NSAGov kept open the hole (#ETERNALBLUE) hit by today's #Petya/#NotPetya ransomware attack–for more than 5 years. https://t.co/mAeIeCGiyY pic.twitter.com/coK1kd2MIv
— Edward Snowden (@Snowden) June 27, 2017

On May 7, EternalBlue was used to attack Baltimore city workers with ransomware, demanding about $100,000 in Bitcoin in order to regain access. City officials refuse to pay and many Baltimore city services are still disabled.

Many of the targets in the US have been local governments, such as Baltimore and San Antonio, where public employees often oversee networks using outdated software. In July, the Department of Homeland Security warned that local and state governments were being hit by destructive malware which has begun relying on the EternalBlue tool to spread.

The hack can be prevented with a software patch provided by Microsoft, but almost a million computers remain vulnerable, according to welivesecurity.

Scott Shane is right, and both can be true: each post-patch victim should have patched long ago—and the NSA should never have lost control of its big bad box of exploits. And what was the bigger mistake? https://t.co/8OduGsbprB
— Thomas Rid (@RidT) May 25, 2019

Security responders have reported seeing EternalBlue show up in attacks almost every day at this point.

In the past week, researchers at the Palo Alto Networks security firm found that a Chinese state group had hacked Middle Eastern governments with the EternalBlue tool.

“We expect EternalBlue will be used almost forever, because if attackers find a system that isn’t patched, it is so useful,” said Jen Miller-Osborn, a deputy director of threat intelligence at Palo Alto Networks, according to The New York Times.

Microsoft’s president, Brad Smith, has called for a “Digital Geneva Convention” for cyberspace. This would include a pledge by governments to report vulnerabilities to vendors instead of keeping them secret in order to use them for attacks or espionage.

Maryland Sen. Chris Van Hollen and Rep. C. A. "Dutch" Ruppersberger – whose district includes some of Baltimore – have both requested briefings from the NSA, according to The Baltimore Sun.

“We must ensure that the tools developed by our agencies do not make their way into the hands of bad actors,” Van Hollen told The Baltimore Sun.

Baltimore City Council President Brandon Scott insisted that the federal government should help with the situation, saying, “Given the new information and circumstances it’s even more clear that the federal government needs to have a larger role in supporting the City’s recovery, including federal reimbursement for damages.”

“The fact that the root technology that enabled this attack came from our own federal government, just miles away, only adds insult to injury,” added Scott.

The NSA and FBI have refused to comment on the EternalBlue breach, according to The New York Times.