Stanford CIS

Cybercriminals have just mounted a massive worldwide attack. Here’s how NSA secrets helped them.

By Henry Farrell on

Computers around the world are suffering an attack from malicious software. The compromised computers have been hit by “ransomware” — software that encrypts the computer’s hard drive so that all the information on it is unavailable, and refuses to release it until a ransom is paid in Bitcoin, an online currency that is difficult to trace. Among the victims are FedEx, Britain’s National Health Service and computers belonging to Russia’s Ministry of the Interior.

Ransomware attacks have happened before. What is unusual is how quickly this attack is compromising large numbers of critical computers. It has been so successful because it has made use of a so-called “zero-day exploit” — a previously unknown flaw in Windows software that makes it easy to take control of vulnerable systems. This zero-day exploit became publicly known last month, when it was released as part of a treasure trove of National Security Agency data by the “Shadow Brokers,” a shadowy group of hackers who many believe are associated with Russian intelligence. Criminal hackers appear to have combined this exploit with ransomware tools to mount a worldwide campaign.

Here’s what you need to know to understand what happened:

The NSA collects zero-day exploits

One of the NSA’s key functions is to spy on intelligence targets in other countries. This, very often, involves compromising their computer systems. Hence, zero-day exploits for commonly used software, such as Windows, are potentially very valuable to the NSA and to its rival intelligence agencies. Big, complex pieces of software such as operating systems have a myriad of bugs, some of which can allow outsiders to take control of computers running the software. Such exploits can be used to gain surreptitious control of computers or other devices running software, scoop up information, or even turn computers or phones into silent spying devices by, for example, taking control of their cameras and microphones. There are even clandestine markets where zero-day exploits are bought and sold.

But the NSA has a dual role

The complicating factor for the NSA is that it is not only supposed to hack into the computers of interesting foreigners — it is supposed to protect the computers of U.S. citizens and firms from outside attacks. This poses problems, because foreigners and U.S. citizens tend to use the same kinds of software, and to be subject to the same kind of attack. Every time the NSA discovers a new vulnerability, it is supposed to go through an “equities process,” in which it determines whether it is better to disclose the vulnerability to software companies (so that U.S. citizens, firms and the government can be protected) or keep it for its own use (so that it can compromise foreign systems).

When the NSA discloses the vulnerability, the creators of the software can modify the software through a “patch,” which can then be downloaded by users to close the vulnerability. When the NSA doesn’t disclose it, nothing gets done unless someone independently discovers the problem (or the hole gets closed inadvertently thanks to other changes). When Microsoft, Apple or Google make you update your computer or phone operating system (or else suffer a series of annoying reminders), they are sometimes patching real vulnerabilities.

This zero-day exploit was kept by the NSA

The Shadow Brokers leak revealed a number of NSA documents, including zero-day exploits that were previously unknown to the general public. Importantly, the Shadow Brokers leaked the files they had compromised in multiple stages, saving the zero-day exploits for a later release, which happened a couple of months later. Although no one is saying so in public, it appears likely that the NSA contacted Microsoft as soon as they realized that the zero-day exploits had been compromised by hostile actors. Certainly — contrary to initial reports — Microsoft patched its software soon after the initial Shadow Brokers release in ways that suggested the company had become aware of the vulnerabilities. This meant that when the zero-day exploits were released last month, people with up-to-date installations of the relevant version of Windows were already protected against these particular zero-day attacks.

Read the full piece at The Washington Post.