The Daily - How a Secret U.S. Cyberweapon Backfired
Episode Date: June 4, 2019A criminal group has held computer systems for the city of Baltimore hostage for nearly a month — paralyzing everything from email to the real estate market to the payment of water bills. But what r...esidents don’t know is that a major component of the malware used to shut down the system was developed nearby by a federal government agency. Guest: Scott Shane, who covers national security and the U.S. intelligence community for The New York Times. For more information on today’s episode, visit nytimes.com/thedaily. Background reading:People involved in the investigation say the N.S.A. tool, EternalBlue, was found in Baltimore’s network by four contractors hired to restore computer services. The N.S.A. says that’s not the case. Cybercriminals have been targeting other vulnerable American towns and cities, from Pennsylvania to Texas, in ways that could disrupt local governments for months.
Transcript
Discussion (0)
From The New York Times, I'm Michael Barbaro.
This is The Daily.
Today, a group of online criminals
has held the city of Baltimore's computer system hostage
for nearly a month, paralyzing basic government functions.
The software used to shut the system down
was developed by a government
agency just a few miles away. It's Tuesday, June 4th.
So the National Security Agency was founded in 1952. There were earlier eavesdropping agencies,
but that was sort of the post-World War II creation of one big agency to do all kinds of electronic intercepts.
Any way that foreigners of interest communicate,
NSA tries to get there and collect.
Scott Sheen covers national security for The Times.
And in perhaps the last 20 years, they have created a hacking team that would break into
foreign computer networks and collect intelligence.
And that sort of sets the backdrop to what's happening today.
The way NSA breaks into foreign computer networks is it first hunts
for vulnerabilities, as they're called, in commonly used software. And very often these
vulnerabilities are in Windows. It's extremely widely used around the world, including by
governments, by foreign governments,
which are often the target. But it's used by terrorist groups, foreign diplomats,
foreign militaries. Even terrorists use windows. Even terrorists use windows.
When NSA discovers a vulnerability these days, it goes to a sort of committee overseen by the
White House representing a bunch of different agencies.
And there's a debate that takes place over whether NSA should be allowed to keep the vulnerability secret or should really report it to the software maker so that they can come up with a patch and make their software more secure.
up with a patch and make their software more secure.
So they found a particular vulnerability probably eight or nine years ago, and they gave the vulnerability the name EternalBlue.
And when the NSA discovers EternalBlue, do they decide to tell Microsoft about it, about this vulnerability in their own software?
No, they don't.
If they told Microsoft, Microsoft would put out, you know, one of those Windows updates.
So they would have put out a patch for Eternal Blue and essentially covered over this security hole in Windows.
So they didn't tell Microsoft. And so Eternal Blue
became actually one of NSA's go-to tools for collecting intelligence. You know, they could
kind of crawl in the upstairs window and rummage around and take what they wanted, and no one
was the wiser. Because this is all secret, we don't know, but it's certainly conceivable
that somebody in al-Qaeda or ISIS was using Windows on a machine, that NSA broke into
one of those machines and learned something crucial about a forthcoming attack, for example.
You know, we don't know, I'm just speculating here. But we were told that this tool was extremely effective in espionage and counterterrorism. So the NSA
keeps Eternal Blue a secret for at least five years until 2016, when something dire and shocking occurs.
A group calling itself the Shadow Brokers,
that's never been heard of before,
suddenly pops up on the web and they announce that they have a lot of NSA's hacking tools,
which are, of course, extremely secret,
extremely carefully protected.
And they are now going to auction them
off online. Wow. They make this announcement in a kind of strange, broken English. Attention,
government sponsors of cyber warfare and those who profit from it. How much you pay for enemies' cyber weapons. You enjoy. You break many things. You find many
intrusions. You write many words, but not all. We are auctioned the best files. So there's this sort
of strange in-your-face aspect of this, that not only have we stolen the crown jewels here,
that not only have we stolen the crown jewels here,
but we're sort of having fun with them and trying to make a little money.
And does this auction work? Are people bidding on it?
The auction is not going so well.
Not surprisingly, perhaps, purchasers seem wary of this situation.
You don't really want to tick off an essay.
Right. So they don't appear to get a lot of
purchasers of these cyber tools. And at one point they say, the shadow brokers is trying auction.
People's no like. The shadow brokers is trying crowdfunding. People's is no liking. Now the
shadow brokers is trying direct sales.
So they're sort of telling the story of their startup business, and things aren't going so well.
So in April of 2017, presumably frustrated that they're not going to make a lot of money off this,
they just dump all these hacking tools onto the Internet.
money off this. They just dump all these hacking tools onto the internet. The New York Times reports a massive security breach has shaken the National Security Agency to its core.
A group calling themselves Shadow Brokers posted two major files online. One is a cybercrime free
for all of tools and techniques the NSA has compiled to break past computer system firewalls.
The other is an advanced set of cyber weapons.
Wow, they just give it away.
They give it away.
It could be the National Security Agency's most significant leak of secrets
since Edward Snowden blew the lid off the group surveillance tactics in 2013.
Kind of like WikiLeaks style.
Except that this is not information.
It's very dangerous internet tools. And one of the most significant of them is the one called Eternal Blue. Now, I should say that about a month before Shadow Brokers released all these tools, including Eternal Blue, NSA apparently contacted Microsoft and said, geez, there's something you ought to know.
And so thankfully, Microsoft is able to create a fix before it goes completely public through the shadow brokers.
But the problem is, and anyone knows this who uses Windows, you get that thing that says,
you know, Windows updates are now available.
And some of them might even say critical Windows updates,
security updates.
But you get busy with stuff.
You got other things going on.
Or you minimize the box and drag it down to the corner
and just kind of hope it goes away.
And you say, yeah, I'll do that next week.
And that even happens in large companies
and institutions, in governments.
And so, you know, people kick this down the road.
Many, many, many Windows, you know,
computers around the world were protected.
People installed the patch, ran this update,
but many, many were not.
And sure enough, a massive cyber attack now
being described as unprecedented in its sheer size. On a Friday in May of 2017, Britain's
National Health Service computers were the first to be hit Friday morning, forcing hospital emergency rooms to shut down, stopping surgeries.
A computer is infected with something that comes to be known as WannaCry.
This is a screenshot of what the virus dubbed WannaCry looked like.
Hackers exploited this weak point to infect Windows computers with ransomware through spam email or attachments.
Your computer screen suddenly goes blank and there's a message on the screen and it says you have to pay X amount or we will destroy your files.
And within a day, it spreads to computers in 150 countries. A massive cyber attack has crippled computers,
grounded airlines, and pretty much halted shipping around the world.
It affected all types of industries,
from the FedEx Corporation in the U.S.
to the Russian Interior Ministry
to the French carmaker Renault
to British hospitals and medical centers.
Pharmaceutical giant Merck tweeted
that its computer network was compromised
and people couldn't even get in the building.
They were sent home.
Turns out behind this attack was North Korean intelligence,
and one of the main tools that they were using
was Eternal Blue.
Huh.
Then later in 2017...
Yet another massive cyber attack
hit organizations across the developed world today.
The attack involved malware known as Petya, locking victims' computers and asking them
to pay a Bitcoin ransom of $300.
There are corporations that report hundreds of millions of dollars of damages.
The disruption spread to several companies, including Merck, WPP, and Rosneft.
That one is traced to Russian intelligence, and that one, too, is using Eternal Blue.
So how did all of these countries and victims deal with this attack?
Did they pay the ransoms?
You know, we don't know for sure. I've been told by people who do, you know,
cybersecurity consulting that it's very common if a ransomware attack occurs against a company
and it is not public knowledge for the company to make a payment in hopes of unlocking their files and making the whole thing go away.
And ultimately, the cost of repairing your system, replacing your files, setting up backups,
and so on, is usually much greater than the amount of money that's demanded by the attackers.
So in 2017, the story of EternalBlue and the other stolen NSA hacking tools sort of faded from the news for the most part.
FBI and NSA still had not found the shadow brokers.
But then the same tool began to turn up in American cities and and finally, right in NSA's own backyard.
We'll be right back.
Okay, Scott, before we get into this recent attack in Baltimore,
bring us up to speed on what's been happening there over the past few months.
Well, I think it's fair to say that the last thing Baltimore needed in 2019 was a cyber attack.
Now to the scandal rocking the city of Baltimore.
FBI agents raiding the home and offices of Mayor Catherine Pugh.
It had just undergone a pretty unusual corruption scandal.
Folks, the political career of Catherine Pugh is over.
Former Democratic Mayor Catherine Pugh was considered a reformer,
but nobody saw the children's book kickback scandal coming.
The mayor, Catherine Pugh, had been writing a series of books
about a character she called Healthy Holly.
In fairness, it was a pretty novel scam.
You see, the mayor decided to self-publish a series of children's books called Healthy Holly.
Nothing wrong there.
Granted, there were some quality control issues,
like having one of the main characters' names misspelled along with the word vegetable.
But hey, this wasn't a crime against grammar.
These books weren't selling.
She hadn't really found an audience for them
until she discovered that she could sell hundreds of thousands of dollars worth of them
to nonprofit organizations that she had connections
to, notably a hospital system on whose board she served. In total, her business took in about
$800,000 in sales. I think the last Baltimore author who got a deal that good was the late
Tom Clancy. It was unclear with what motive unless they were trying to
win influence with the mayor of Baltimore. And I sincerely want to say that I apologize
that I've done something to upset the people of Baltimore that I love and care about.
This morning, Baltimore has a new mayor. Jack Young says his predecessor's resignation will
only make
the city stronger. The past few weeks have been painful and traumatizing for all of us. Like each
of you, I am utterly heartbroken. We're going to make sure that the city moves forward. So we're
going to keep this city moving and we're going to get things done. So tell me about this attack. So on the morning of May 7th, city workers go to their offices as usual.
And in the Department of Public Works, people are beginning their day and suddenly on their screens, whatever they're working on disappears.
And there's a message.
And it says, we've watching you for days. We won't talk more.
All we know is money. Hurry up. Tick, tack, tick, tack, tick, tack.
Tick, tock?
Exactly. Presumably this is not originating with a native speaker of English, but who knows?
Right.
So this appears on computer screens all over the city.
It spreads from the Department of Public Works across all of the departments of city government,
and people suddenly don't have access to their computers. They don't have email. For a while,
the phones stop working, and a lot of the functions of city government are paralyzed.
The attack ground real estate transactions to a halt.
Prompting city employees to work 12-hour shifts in order to conduct all their day-to-day city business via phone and even in person.
Residents today still unable to pay water bills, tickets, taxes, and close real estate deals online.
And folks are fed up.
A red light and a parking ticket.
Now I have to come tomorrow.
And if it's not working tomorrow, then I have to come day after tomorrow also.
My car was stolen. I need to pay the ticket so they can release my car.
stolen. I need to pay the ticket so they can release my car. There were health alerts that didn't go out about disease outbreaks and bad batches of drugs. It's kind of pouring molasses
into the works of city government. Whoever's responsible is demanding 13 bitcoins or some
$100,000 to unlock the system. In this case, targeting a very vulnerable target, a U.S. city.
In this case, targeting a very vulnerable target, a U.S. city.
Scott, I'm just curious.
Why would whoever did this target a city and a kind of medium city without a ton of money at that?
Not a billion-dollar corporation that would probably not think much of paying off this ransom.
What exactly is the idea of this target? So, you know, sophisticated
operations, big companies and so on, updated their software, patched their systems back in March of
2017. And so there's a dwindling number of Windows computers that are vulnerable to an attack
that uses EternalBlue. And now, more recently, in the last year or so,
there's been quite a few attacks on American cities.
Local governments, without a lot of spare money,
often without a lot of sophistication about IT and Internet security,
they provide a lot of services to the public.
So presumably the criminals are thinking
as they attack local governments,
there'll be a lot of pressure
to get these systems up and running again.
So maybe we can squeeze a ransom payment
out of these guys
and their systems aren't patched.
And give me a sense
of what is significant specifically
about Baltimore. Well, if you think about
Eternal Blue, born years ago at Fort Meade, Maryland on the NSA campus, well, that's about a
15-minute drive from Baltimore. Lots of NSA employees. NSA has a huge workforce and lots of NSA employees live in the city of Baltimore
and in its southern suburbs. So essentially Eternal Blue, you know, made its way around the world
and then came home. What have you heard, Scott, from the NSA? Well, the NSA, whose name has sometimes been interpreted as never say anything or no such
agency, has true to form said nothing.
The big picture here is that they've said nothing since the shadow brokers first popped
up and said, we have a bunch of NSA tools in 2016.
They really haven't been held publicly accountable for the loss of this big
chunk of their arsenal. And why is that exactly? My sense is that there are ways that Congress
and lawmakers can hold NSA officials responsible in kind of closed-door ways that will not compromise
national securities. Isn't that why we have these secure rooms in the basement of the Capitol?
There have been questions asked
of NSA officials in closed hearings,
but none of this has become public.
And NSA correctly says
that its entire cyber espionage program is classified
and that it's actually illegal to talk about it in public.
But I think in this instance, it's a situation in which at some point you kind of have to ask,
is the NSA using classification, sort of official secrecy, to avoid responsibility for what has
really become a disastrous saga in the history of the agency. You know, these are or can be
very dangerous weapons. And if the NSA is unable to keep them safe, you know, it raises all kinds
of questions about the costs and benefits of these operations. And part of the problem here is that
at least as far as we've been able to determine, the FBI and NSA have to this day not determined who the shadow brokers are or how they obtained these hacking tools.
We still don't know the answer to those questions, so we don't really know how negligent NSA was, and therefore we, you know, what the lessons are and whether they have
been learned. So now it's been nearly a month since this attack in Baltimore. Where is the
city? What kind of shape is it in? Well, the new acting mayor, Jack Young, made the decision not
to pay the ransom. No, I will not pay a ransom to anybody. No. And the city hired a number of cybersecurity contractors to come in
and assess the damage and try to figure out how to work their way out of it. And I'm told that
as of Wednesday of last week, employees, city employees began to get their email back.
How much in the end do you think this will cost the city?
City budget officials at a hearing last week estimated the cost at more than $18 million.
I think about $10 million in immediate recovery costs and about $8 million in fees that they didn't collect or collected late as a result of the shutdown.
So particularly compared with the ransom of $100,000, that's a lot of
money. For a city like Baltimore, that is real money. And there's a particular irony and particular
pain to Baltimore being attacked by tools made at NSA.
While we have had trying times recently, I'm confident we will prevail.
I would like to thank our federal and state partners for working closely with us as we work to fix a virus that has affected the city's network of computer service.
But the people of Baltimore, much like our great city,
are made tough.
I don't know nobody else that's more resilient than Baltimore.
Scott, thank you very much.
And as someone who lives
in the Baltimore region,
I wish you good luck.
Thank you very much. And as someone who lives in the Baltimore region, I wish you good luck. Thank you, Michael.
Since we spoke with Scott, a Maryland congressman said he was informed by the NSA
that Eternal Blue was not used in the ransomware attack on Baltimore.
In a story following up on that claim,
Scott and fellow Times reporter Nicole Perloff
stood by their reporting,
writing that sources directly involved in the investigation
told them that all four contractors
hired to study what happened in Baltimore
had discovered Eternal Blue.
The NSA, however, has declined to publicly comment.
We'll be right back.
Here's what else you need to know today.
President Trump began a highly anticipated state visit to Britain on Monday with a series of tweets sent while still in the air,
insulting the mayor of London,
whom the president called a, quote, stone-cold loser.
The mayor, Sadiq Khan, appeared to provoke the president's anger
by calling on British Prime Minister Theresa May to denounce Trump's policies and conduct ahead of the visit,
something May did not do.
After arriving in London,
the president traveled to Buckingham Palace,
where he met with Prince Charles and his wife Camilla,
and with Queen Elizabeth.
That's it for The Daily.
I'm Michael Bavaro.
See you tomorrow. That's it for The Daily. I'm Michael Bavaro.
See you tomorrow.