Microsoft Blames NSA for ‘WannaCry’ Cyber Extortion

Software maker sent patch 2 months ago for flaw used in large-scale ransomware

Homeland Security Adviser Tom Bossert
Homeland Security Adviser Tom Bossert / Getty Images
• May 16, 2017 5:00 am


Technology giant Microsoft is blaming the National Security Agency for the cyber extortion that hit hundreds of thousands of computer networks worldwide.

Brad Smith, Microsoft's president and chief legal officer, also stated in a posting Sunday that the company notified customers in March that a security hole used in the global ransomware attack should be patched.

Malicious software called "WannaCry" was distributed early Friday morning. It first disrupted health care networks in Britain and telecommunications networks in Spain before expanding to more than 100 nations.

An expected second wave of ransomware attacks on Monday was less severe than some experts suspected.

Tom Bossert, White House assistant to the president for homeland security and terrorism, said the ransomware infected more than 300,000 computers in 150 nations. "The good news is the infection rates have slowed over the weekend," he told reporters.

The ransomware extortion scheme is one of the largest computer attacks recorded.

The attack involved remote break-ins of computers that scrambled key data inside infected systems, followed by offers from the attacker to unscramble the data if victims pay $300 in Bitcoin, the digital currency.

Three variants of the ransomware have been detected. The hackers are believed to have fooled victims into loading the ransomware by clicking on a fraudulent Internet link sent by email, a method known as phishing.

The ransomware used in the hack exploited a vulnerability purportedly from NSA called EternalBlue, according to cyber security experts. Microsoft issued the patch shortly after the vulnerability was made public.

Bossert said the hackers have been paid less than $70,000 by victims so far.

Attacks by WannaCry, also called WannaCrypt, WCry, and Wanna Decryptor, were reported in China, Russia, Taiwan, France, and Japan, according to an FBI notice sent Saturday. The malware has been identified using 27 different languages.

Authorities are investigating who is behind the attacks, but a Russian cyber criminal group is suspected.

Some cyber security investigators think North Korean hackers may have conducted the attack.

"We don't know," Bossert said when asked who conducted the attack. "Attribution can be difficult here. I don't want to say we have no clues."

The FBI said the hacker or hacking group behind the ransomware gained access to servers either by compromising Windows' Remote Desktop Protocol or by exploiting a critical flaw in its Server Message Block, a computer file-sharing system.

Microsoft issued a security update for the vulnerability on March 14, 2017.

"The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States," Smith said. "That theft was publicly reported earlier this year."

An NSA spokeswoman did not respond to emails seeking comment.

Bossert sidestepped questions about the government's use of operating system vulnerabilities, but he said WannaCry involved a "vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government."

"This was not a tool developed by the NSA to hold ransom data," he said. "This was a tool developed by culpable parties, potentially criminals or foreign nation-states, that have put it together in such a way so that they deliver it with phishing emails, put it into embedded documents, and cause infection, encryption, and locking."

The New York Times reported that a group calling itself "Shadow Brokers" began posting software tools online last summer that came from NSA's hacking arsenal. If confirmed, it would be the first time cyber criminals had obtained an NSA cyber tool and used it for criminal purposes.

The U.S. government has been linked to an industrial control system malware called Stuxnet that was used in an operation to attack Iran's nuclear program several years ago. Stuxnet targeted Iran's uranium enrichment centrifuges and caused many to spin out of control and self-destruct.

That malware also is believed to have been captured by hackers.

Smith, the Microsoft chief, was critical of NSA for what he called "stockpiling" computer vulnerabilities for use in spy operations.

Critics have charged the NSA with failing to notify software manufacturers of security vulnerabilities in order to maintain its intelligence-gathering capabilities against foreign computers.

The agency is regarded as having among the world's most advanced cyber intrusion capabilities. Along with other cyber powers such as China and Russia, it operates teams of specialists who identify security flaws that can be used for cyber spying or cyber attacks.

"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," Smith said.

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

Smith said the effect on cyber security of keeping the vulnerabilities secret is tantamount to the physical theft of Tomahawk cruise missiles.

"And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today—nation-state action and organized criminal action," he said.

The WannaCry attack is a wake-up call on the use of software vulnerabilities by governments, Smith said, adding that he favors creating an international "Digital Geneva Convention" to regulate the use of software vulnerabilities.

"We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits," he said.

Cyber security expert James A. Lewis doubts international rules can be created for cyber spying.

"We can have a long debate over whether intelligence agencies should play nice in cyberspace," said Lewis, with the Center for Strategic and International Studies.

"This is not going to happen for a long time, if ever. Eventually, constraints on cyber espionage may be necessary, but these would only work if everyone observed them, and there is reasonable doubt that China and Russia would go along."

Bossert, the White House homeland security adviser, defended the government's handling of known security vulnerabilities.

"I actually think that the United States more than probably any other country is extremely careful with their processes about how they handle any vulnerabilities that they're aware of," he said. "That's something that we do when we know of the vulnerability, not when we know we lost the vulnerability."

Smith said Microsoft released a security update to the Windows operating system to patch the vulnerability on March 14.

"While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally," he said. "As a result, hospitals, businesses, governments, and computers at homes were affected."

Microsoft agreed to help patch older systems, such as Windows XP, that the company had stopped supporting with security updates in an apparent bid to prompt customers to purchase newer Microsoft operating systems.

"We take every single cyber attack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident," Smith said.

The ransomware attack highlighted the widespread use of pirated Microsoft software around the world, including in China and Russia. The illegal software cannot be easily updated.

Smith said the fact that so many computers were hit with the attacks two months after the release of a security patch shows that increasing cyber security is the responsibility of both tech companies and customers.

"As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," he stated. "Otherwise they’re literally fighting the problems of the present with tools from the past."

Published under: Cyber Security