President Donald Trump’s homeland security adviser has a message to those blaming US intelligence agencies for the cyberattack encircling the globe: Don’t point a finger at the National Security Agency. Blame the hackers. Since Friday, malware has infected an estimated 300,000 computers in 150 countries. Users’ files at hospitals, companies and government agencies have been held for ransom. Cybersecurity experts say the unknown hackers used a hole in Microsoft software that was discovered by the National Security Agency. The hole was exposed when NSA documents were leaked online.
Brad Smith, general counsel and executive vice president of Microsoft, laid some of the blame with the US government, criticising US intelligence agencies for “stockpiling” software code that can be used by hackers. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability, stolen from the NSA, has affected customers around the world,” he said.
Tom Bossert, Trump’s assistant for homeland security and counterterrorism, defended the NSA, the lead US signals intelligence agency. “This was not a tool developed by the NSA to hold ransom data,” Bossert told reporters yesterday. “This was a tool developed by culpable parties potentially criminals or foreign nation-states.”
Perpetrators put the malware together in a way to deliver it with phishing e-mails, put it into embedded documents and caused infection, encryption and locking, he said.
Cyber experts are telling government officials that the malware was built with parts and codes cobbled together from different places, a US official said.
The official was not authorised to publicly discuss the investigation and spoke only on condition of anonymity.
Cyber experts say the tools were stolen from the Equation Group, a powerful squad of hackers which some have ties to the NSA. The tools materialised as part of an internet electronic auction set up by a group calling itself “Shadow Brokers,” which promised to leak more data into the public.
“I haven’t found an analyst who doesn’t say it doesn’t come from the NSA cache,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
“Think of it like a master key,” Lewis said. “NSA identified a vulnerability in a Microsoft software that the Shadow Brokers, then released so anybody could use it.”
The Shadow Brokers “shared that vulnerability with the world and then these criminals took advantage of it,” he said.
V Miller Newton, president of PKWARE, a data protection and encryption company based in Milwaukee, Wisconsin, said leaks of purported NSA hacking tools have been coming out in dribs and drabs since August. “Criminals or terrorists are going to try to leverage these exploits,” he said. “How damaging could it be? Extremely.”
“The tools are useful and they are in the hands of criminals today,” Newton said. “Holy cow! The government can’t protect itself from insiders?”
The Department of Homeland Security is leading the investigation in the United States. American officials are working closely with their British counterparts.
Analysts at the Cyber Threat Intelligence Integration Center worked throughout the weekend to keep American officials informed about classified aspects of the investigation. “Attribution can be difficult here,” Bossert said. But he added: “I don’t want to say we have no clues.”
“While it would be satisfying to hold accountable those responsible for this hack something that we are working on quite seriously the worm is in the wild, so to speak at this point, and patching is the most important message as a result,” he said.
“Despite appearing to be criminal activity intended to raise money, it appears that less than $70,000 has been paid in ransoms and we are not aware of payments that have led to any data recovery.”
Neither the FBI nor NSA would comment today.
If Americans follow the patching information issued by the FBI, Microsoft and the Homeland Security Department, they will be protected from the malware and the variants, Bossert said.
Some US companies, including FedEx, were affected. No federal systems have been victimised thus far, Bossert said.
Virginia Senator Mark Warner, the Senate intelligence committee’s top Democrat, wrote Homeland Security Secretary John Kelly and White House budget director Mick Mulvaney yesterday asking what steps the federal government has taken to ensure federal agencies and government contractors have installed critical security updates to defend against the attack.
A Government Accountability Office report in May 2016 said federal agencies consistently failed to apply security patches in a timely matter and sometimes didn’t make them for years after a patch had been available, Warner said.
The office, he said, also identified cases where agencies were using software no longer supported by its vendors.