The Daily Podcast is a news briefing, supported by the New York Times, released Monday through Friday on Spotify and various podcast apps. On Tuesday June 4th, The Daily covered the ransomware attack on Baltimore and provided new information from the security contractors hired by the city to investigate. While there are some contradictory opinions from state diplomats as to how the attack occurred, the reporting done by the folks at The Daily is an interesting followup to our own story on the event.
The four contractors hired by the city to investigate believe the attack came through an unpatched vulnerability in Windows that the NSA discovered 8 or 9 years ago, and named “EternalBlue.” When the NSA discovered this vulnerability, they did not tell Microsoft. We can speculate they did so in order to keep the security hole open for defensive international espionage. We can also speculate that Eternal Blue was their go-to tool to collect intelligence on terrorist organizations.
The NSA was able to keep this vulnerability secret until 2017 when a group called the Shadow Brokers (an unknown foreign organization) popped up on the Internet announcing they had a ton of the NSA’s hacking tools for sale. Purchasers weren’t biting, so in April of 2017 Shadow Brokers decided to dump all of these hacking tools onto the Internet, creating one of the largest leaks of dangerous internet tools we’ve ever seen. Among the cybersecurity weapons leaked was EternalBlue. About a month before Shadow Brokers released the tools, the NSA apparently contacted Microsoft and finally let them know about EternalBlue. Microsoft released the patch, but as we know, not every organization and institution has the staff in place to install patches immediately.
On a Friday in May of 2017, the WannaCry virus broke out, infecting all types of industries across the world. North Korean intelligence came out as the instigator of the attack, and EternalBlue was the tool used to execute. Later in 2017, malware called Petya also hit companies with ransomware, which was traced back to Russian intelligence. EternalBlue was also utilized in this attack. Now, in a twist of painful irony, the latest attack using EternalBlue turned up in the NSA’s own backyard.
On the morning of May 7th, the city of Baltimore was attacked with ransomware by a criminal operation known as Robbinhood. On that morning at the Department of Public Works, employees attempting to login to their computers received this message: “We’ve watching you for days. We won’t talk more. All we know is money. Hurry up. Tick tack tick tack tick tack.” As this message spread to computer screens all over the city, many functions of city government became paralyzed. The month following the attack has been a struggle for the city. Employees are still having to work 12 hours shifts to conduct business via phone and in person. The Daily reported the attack was like “pouring molasses into the processes of city government.”
Even though this is going on in a city where many NSA employees live, the organization has remained silent. In fact, they didn’t say anything when the Shadow Brokers leaked their tools in 2017. This is par for the course for a secretive branch of the government, but at some point you have to wonder, is the NSA using classification as away to avoid responsibility for their part in these disasters?
It’s been a month since the attack and the mayor of Baltimore has decided not to pay the 100 thousand dollar ransom. Cybersecurity experts were brought in to access the damage and work through how to get the city up and running again. It’s been said that some city employees now have access to their email. At a hearing last week, city budget officials estimated the cost of this attack at 18 million dollars. 10 million in immediate recovery costs and 8 million in fees that didn’t get collected or were collected late.
As previously stated, the discovery of EternalBlue within the attack forensics was confirmed by all four contractors hired to study the attack and restore computer services. It is interesting however that the operator of Robbinhood tweeted on June 3rd that EternalBlue was NOT used. There are a few reasons why the group might not be telling the truth. Check out the speculation here: https://arstechnica.com/information-technology/2019/06/baltimore-ransomware-perp-pinky-swears-he-didnt-use-nsa-exploit/
Also check out our Managed Security offering for more information on services Volta provides to protect against unfortunate events like this. https://voltainc.com/security/security-as-a-service/
The Daily by The New York Times
“How a Secret U.S. Cyberweapon Backfired”
June 4, 2019