The National Security Agency told Rep. C. A. Dutch Ruppersberger on Friday that a hacking tool the agency is believed to have created was not a factor in the Baltimore ransomware attack, the congressman said.
The agency’s contention that the EternalBlue tool wasn’t used in the incident contradicts a New York Times report published May 25. The Times cited security experts briefed on the case and reported that “a key component of the malware that cybercriminals used in the attack” was developed by the NSA.
“I have been told that there is no evidence at this time that EternalBlue played a role in the ransomware attack currently affecting Baltimore city,” Ruppersberger said in a statement. “I’m told it was not used to gain access nor to propagate further activity within the network.”
Following the Times report, Democratic Mayor Bernard C. “Jack” Young and Democratic City Council President Brandon Scott said they would seek federal money to cover some portion of the estimated $18.2 million the attack will cost the city.
Lester Davis, a spokesman for Young, declined to say whether the city’s investigators had found any evidence of the tool being used, citing an ongoing federal investigation into the incident.
The NSA and FBI declined to comment.
A spokeswoman for the Times said the paper was confident about the accuracy of its initial report and in a new article published late Friday, the Times provided more detail about the Baltimore incident. The paper reported that people directly involved in the Baltimore investigation said four contractors hired by the city had found EternalBlue in the city’s systems.
“The leading theory is that hackers broke in through an open server in Baltimore’s network, installed a back door and then used EternalBlue to move across the city’s computers searching for valuable servers to infect,” the Times reported.
Contractors discovered an additional tool called a “web shell” on the city’s network that investigators believe might have been used in conjunction with EternalBlue and another hacking technique, the Times reported.
EternalBlue, which relies on a vulnerability in Microsoft software, was posted online in 2017 by a group calling itself the Shadowbrokers. The NSA has never acknowledged creating EternalBlue, but security experts and former agency employees have said they’re confident the leaked tool originated with the spy agency.
The leak renewed a debate about whether and when the NSA should disclose security flaws it discovers. The agency can use them to gain intelligence to protect the country, but keeping the flaws secret runs the risk that criminals or foreign governments also know about them and can use them to attack computers in the U.S.
Microsoft issued a patch in 2017 to resolve the vulnerability. That led some experts to blame Baltimore’s IT teams for leaving the city vulnerable two years later, if EternalBlue was involved.
Scott issued a statement late on May 25, calling on Republican Gov. Larry Hogan to ask federal authorities to declare the ransomware attack a federal disaster, which would unlock funding. On Friday, Scott said he stood by his call for help from the federal government.
Asked whether he knew if the NSA-linked tool was used in the incident, Scott said a cybersecurity committee he appointed would get to the bottom of the issue.
“We aim to get answers about everything related to the event, from the origin to the rebuild,” Scott said.
Rob Joyce, a senior NSA official, discussed the Times article in oblique terms Thursday at a conference in Washington.
“The characterization that there’s an indefensible nation-state tool propagating ransomware is simply untrue,” Joyce said, according to news site NextGov.
“Focusing on a single exploit, especially one that has a solution through a patch that was issued years ago, is really shortsighted,” he said. “Vulnerabilities will continue to be found. Doing the basics is required for responsible network administration.”
In his statement, Ruppersberger said that even if the leaked tools were not used in Baltimore, the federal government needs to do more to help local governments bolster their defenses.
“It’s easy to suggest that leaked cyber tools are worthless with proper patches and good cyber hygiene,” Ruppersberger said. “But the reality is that patching can be hard and requires resources that many municipalities don’t have.”