The NSA has been using the EternalBlue exploit for their own purposes for five years before disclosing the vulnerability to Microsoft, which is at the heart of WannaCry. The main reason the exploit was disclosed can be attributed to the fact that public exposure of the exploit could have very serious and widespread consequences due to the vast number of vulnerable devices that are exploitable in the wild (which is exactly what happened when it was repackaged with self-propagating ransomware code).
Some NSA officials, as reported by The Washington Post, discussed how dangerous the exploit was, deliberating on whether to disclose the issue to Microsoft. The amount of intelligence haul from use of the exploit was described by a former NSA employee as “unreal”.
“It was like fishing with dynamite,” said a second.
Brad Smith, Microsoft’s President, compared the NSA’s failure to keep the code secured to “the U.S. military having some of its Tomahawk missiles stolen”
This is not an isolated incident as the agency suffered massive data exfiltration in 2013 when contractor Edward Snowden leaked massive amounts of secret documents.
A timeline analysis on how we got to the WannaCry ransomware situation we’re currently facing is summarized below:
- About 5 years ago: NSA develops initial exploit for zero-day vulnerability dubbed “EternalBlue“
During the early iterations of EternalBlue, it was prone to making systems crash, so it’s nicknamed EternalBlueScreen, dubbed after the infamous Blue Screen of Death (BSoD) that Windows systems display when they encounter a fatal system error. NSA makes upgrades to “EternalBlue” to mitigate BSoD issues with time.
- Spring 2014: Obama administration kicks off a new process to vet vulnerability among the FBI, the NSA, the CIA, and the Department of Homeland Security
- August 2016: ShadowBrokers dump a set of exploits, of which EternalBlue was a part of.
Note: These hacking tools are identical to those breached by former NSA Contractor Harold T. Martin III, according to former officials.
- October 2016: Harold Martin is arrested after the FBI found massive amounts of classified data collections from various agencies.
- Between October – January 2016: NSA discloses vulnerability to Microsoft
- January 2016: ShadowBrokers announce the auction of dozens of NSA tools
- February 2016: Microsoft abruptly cancels February’s scheduled patch release over “last minute issues”
- March 2017: Microsoft releases security bulletin MS17-010 which addresses SMB vulnerability used by WannaCry Ransomware
- May 2016: WannaCry gets deployed and causes massive havoc worldwide
The question we should be asking is: What if the Shadow Brokers had released this exploit back in 2014? An NSA employee described it as follows:
“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”
If that was the positioin of the DoD as described above, how much more devastating would the leakage of this exploit have been to the rest of the world (financial, critical nationwide infrastructure, medical facilities, service industries, etc.) if it was leaked earlier?